Below is the list of recommendations for CSRF actions based on request categories.
For Non-HTML Form POST Requests
Verify CSRF Token: These requests will generally pass this check, as they may not include a CSRF token in the body.
Verify HTTP Origin Header or CSRF Token: The Origin header of the request is inspected. If the Origin is valid, the request is allowed to proceed. The CSRF token is not considered for these requests.
For HTML Form Submission Requests
Verify CSRF Token: The server verifies the CSRF token provided in the request body. If the token is valid, the request is accepted.
Verify HTTP Origin Header or CSRF Token: The server first examines the Origin header. If the Origin check passes, the request is permitted. If the Origin check fails, the server falls back to verify the CSRF token in the request body. The request is only denied if both checks fail.
Sample scenarios
The table below lists different types of requests and different behaviors with various actions.
For example: If a request is a “FORM POST with Token and without origin header” then if the action is set to ‘Verify CSRF Token’ the request will pass if the Token is verified.
If the action is ‘Verify HTTP Origin Header or CSRF Token’, the request will pass if the Token is verified. However, if the action is configured to be ‘Verify Only Origin’ then the request will fail as there is no Origin Header.
Request Type |
Verify CSRF Token |
Verify HTTP Origin Header or CSRF Token |
Verify only Origin |
|---|---|---|---|
FORM POST with Token and without origin header |
PASS if verified |
PASS if verified |
FAIL |
FORM POST with Token and with origin header |
PASS if verified |
PASS if verified |
PASS |
FORM POST without Token and origin header |
FAIL |
FAIL |
FAIL |
FORM POST without Token and with origin header |
FAIL |
PASS if verified |
PASS if verified |
Fetch/XMLHTTPReq/JQuery with Origin Header |
PASS if verified |
PASS if verified |
PASS if verified |
Fetch/XMLHTTPReq/JQuery without Origin Header |
PASS if verified |
FAIL |
FAIL |
The recommendation is to use the Verify HTTP Origin Header or CSRF Token option for any kind of request.
