nr: #1 dodano: 2016-12-26 19:12
An attacker can send a cross-site request with an
XMLHttpRequest without violation the Same-Origin Policy (SOP) - the only limit here is that the attacker's site won't be able to see the response. Cookies are included with every request sent by the victim's browser so the API call will still fire with a cross-site XHR, so this API is still vulnerable to CSRF.
If you don't want to make any security architecture changes, then the CSRF Prevention Cheat Sheet recommends checking the Origin header. This document describes other methods, such as the CSRF token synchronizer method which could be used as a header element and is considered a stronger method of defense.