htmlformspostheaderhtml-post

Add custom header on non-ajax post


AFAIK it's not possible to set a header field when a form is submited, it can only be done in ajax requests

This questions also points that it's not possible:

But reading Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet it's mentioned that:

Encrypted Token Pattern

Overview

The Encrypted Token Pattern leverages an encryption, rather than comparison, method of Token-validation. After successful authentication, the server generates a unique Token comprised of the user's ID, a timestamp value and a nonce, using a unique key available only on the server. This Token is returned to the client and embedded in a hidden field. Subsequent AJAX requests include this Token in the request-header, in a similar manner to the Double-Submit pattern. Non-AJAX form-based requests will implicitly persist the Token in its hidden field, although I recommend persisting this data in a custom HTTP header in such cases. On receipt of this request, the server reads and decrypts the Token value with the same key used to create the Token.

This sentence confuses me:

I recommend persisting this data in a custom HTTP header in such cases

Could anyone shed some light on it?


Solution

  • Yes, the sentence implies that the POST operation is invoked by a custom JavaScript handler in order to inject the AUTH header. I've corrected the OWASP description to reflect this oversight.