2

This is related to the post https://security.stackexchange.com/questions/23371/csrf-protection-with-custom-headers-and-without-validating-token/23373#23373?newreg=9acf3e40d05f4d19a00eb58b160f8453

So if we have decided to use Custom Header Validation as a option for CSRF protection and if we need to use some other custom header other than "X-Requested-By" then what is the best way to do that

Community
  • 1
  • 1
victor
  • 153
  • 2
  • 14
  • 1
    Can you describe the actual problem you're trying to solve? Why are you not using a token? Why do you need to use some other custom header? Why haven't you been able to use any random header of your choosing? – Xander Dec 29 '15 at 21:36
  • Actually I want to protect my REST api's from CSRF attack so as per post mentioned in the question we can do it in two way one is through custom header validation and another is one token per request. I have chosen to use Custom Header validation but instead of X-Requested-By i want to use some other custom header used by my application. I am using Sun Jersey Rest library. – victor Dec 29 '15 at 21:43
  • Ah, ok, that clears it up. It's not a security question then, but a programming question. I'll flag it to be moved over to StackOverflow then. – Xander Dec 29 '15 at 21:47
  • so, do you have some reason not to use that header? Do you have any specific problem in implementing this? – eis Dec 30 '15 at 07:45
  • I don't have any problem in using that header but we are already having lot of custom headers in our application request why I want to introduce another one. Instead of that I can validate my existing header right. – victor Dec 30 '15 at 07:51
  • what exactly i mean is why they restricting us to use only X-Requested-By in this API - https://jersey.java.net/apidocs/1.17/jersey/com/sun/jersey/api/container/filter/CsrfProtectionFilter.html – victor Dec 30 '15 at 08:05

1 Answers1

1

From the source code of CsrfProtectionFilter, the header to validate is defined as a private static variable. So it is not possible to change the header to validate.

private static final String HEADER_NAME = "X-Requested-By";

It is good to stick to the standards and use X-Requested-By.
But, still if you want to validate a separate header, you need to write your own filter, which is very easy. Just copy the class and change the header (which is not recommended)

Karthik Chandraraj
  • 1,051
  • 2
  • 14
  • 27