-
How Can I Defend Against Cross-site Request Forgery (CSRF) Attacks?
The most effective way to protect against CSRF vulnerabilities is to include a CSRF token within relevant requests, for example, a parameter in a hidden form field. This additional token should contain sufficient entropy and be generated using a cryptographic random number generator. It is not feasible for an attacker to determine or predict the value of any token issued to another user..
This token should be a nonce (one-time use) value that changes for each request sent. The server should also check this value to ensure the expected value is sent. A method should also be implemented to ensure that the CSRF token is valid for its associated session.
