[Owasp-csrfguard] CSRFGuard treats non-ajax request as ajax request

Veeraswami Ramineni (veramine) veramine at cisco.com
Thu Mar 19 10:05:34 UTC 2015


CSRFGuard treats non-ajax request as ajax request when there is "X-Requested-With" header present in the request.

We are also facing same issue in a different scenario.

In chrome recent versions, "X-Requested-With"  header is added to the requests which are sent from flash/ flex related code.
CSRFGuard misidentifying this as ajax request and treating request as invalid as security token is not present in header.

Java based web application.

Is there any workaround available for above mentioned issue?
Please let me know your suggestions.

Thanks in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20150319/59cfd7fd/attachment.html>

More information about the Owasp-csrfguard mailing list