I see this a lot as an anti CSRF technique in AJAX based SPAs. | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

airza on March 4, 2021 | parent | context | favorite | on: HTTPWTF

I see this a lot as an anti CSRF technique in AJAX based SPAs.

bluesmoon on March 4, 2021 [–]

yeah, those techniques predate CORS, but even back then, you'd typically add your anti-csrf token to the payload rather than the header. CSRF is application level logic rather than protocol level.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact