Is checking a token without checking a header sufficient for CSRF protection?

Question

In their guidelines for securing your application against CSRF attacks, OWASP recommends two separate checks:

1. Check standard headers to verify the request is same origin
2. AND Check CSRF token

This question asks if it suffices to check the headers without having a token. I am wondering the converse - is it sufficient to create and check an encrypted CSRF token without checking any headers?

The question you linked is talking about using a custom header, OWASP is recommending verifying the origin or referer headers. — AndrolGenhald, Sep 20 '17 at 18:43

score 2 · Answer 1 · answered Oct 20 '17 at 19:57

Yes. This is the first time I see anyone recommending to do both. Checking the headers always feels a little hacky: the Referer header was not designed as a security header (there might be obscure cases where it fails) and is not always set. We typically recommend using tokens and don't suggest checking the "Referer" header.

It can't hurt to do both if you reject when either condition fails, but tokens are enough -- assuming they're implemented properly.

score -1 · Answer 2 · answered Sep 20 '17 at 18:31

-1

As a recently graduate school graduate (I hold an MS in I.T. - Cybersecurity) I would have to advise to follow the industry standard and check both the headers and the token. One of the industry standards is NIST Special Publication 800-63b I recommend that you start there.

answered Sep 20 '17 at 18:31

SecurityDoctor

23
6

1

I see CSRF mentioned once in that document, and it says "It is important to embed and verify a session identifier into web requests to prevent the ability for a valid URL or request to be unintentionally or maliciously activated." I see nothing about verifying headers. – AndrolGenhald Sep 20 '17 at 18:41
Ok I stand corrected! I always check headers as well. Check with the NIST Cybersecurity Framework document as well as ISACA's COBIT 5. The entire NIST SP 800 series gives a better picture of total framework. – SecurityDoctor Sep 20 '17 at 18:51
I am at my 'other day job' at the moment. When I get home tonight I will do more research on the answer. – SecurityDoctor Sep 20 '17 at 18:54
I see this answer was downvoted for other reasons but I would like to emphasize one important thing you got correct: looking at an industry standard (such as what OP cites) is typically a good idea. – Luc Oct 20 '17 at 21:53

Is checking a token without checking a header sufficient for CSRF protection?

2 Answers2