3.6 Cross-Site Request Forgery (CSRF)
This topic helps to understand the Cross-Site Request Forgery (CSRF).
In the case of XMLHttpRequest objects, the XMLHttpRequest object sets a custom HTTP header in the request, with the header value being the Cross-site request forgery token; The server then verifies for the presence of such a header and the Cross-site request forgery token. This serves as protection at endpoints used for XMLHttpRequest requests since only XMLHttpRequest objects can set HTTP headers (apart from Flash; and both cannot make cross-domain requests).
Parent topic: How to address the OWASP Top10 in FLEXCUBE UBS