Prevent CSRF Vulnerabilities, Alternative methods to CSRF Token

Question

A common way to prevent CSRF is using tokens hidden in forms. Just by curiosity is this the only way of actually preventing CSRF? People arguing about CSRF token not needed is making me crazy and I need to understand why. How can I else prevent CSRF attacks?

Answer 1

Actually using a CSRF token is just another layer of defense. According to the OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet, verifying the request origin can also be used in CSRF protection. To verify the origin we can use,

1. Origin Header
   • The Origin header includes the information of the scheme,host and port that initiated the request.
2. Referer Header
   • The Referer header contains the address of the previous web page from which a link to the currently request web page was followed.

However there are limitations in using this approach such as unavailability and integrity of the headers. There are ways for attackers to change the value of these headers. Therefore it is recommended to always have multiple layers of defense.