Preventing Cross-Site Request Forgery Attacks
Cross-site request forgery (CSRF) attacks can be prevented by ensuring that any request to perform an action that either creates, updates, or deletes data in the application can only have come from a valid user clicking a valid link generated from within the application, and not from a URL crafted by a third party and submitted unwittingly by the user.
The various CSRF prevention techniques include:
• The use of a unique token
• The use of a challenge-response scheme, such as CAPTCHAs
• Checking the HTTP Referer Header
• Checking the HTTP Origin Header
• Establishing and using best practices when accessing the application