Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Possible values for X-Requested-With header?

Tags:

security

csrf

web

csrf-protection

The x-requested-with header is kind of confusing to me. I know it can be used to defend against CSRF attacks, and that it is used to identify Ajax calls...but what is it really?

It just tells you what the request was...requested with?

Could there ever be a reasonable situation in which the header is present but set to some value other than "XMLHttpRequest"? I would imagine so, but I've never seen it set to anything else.

like image 972
ineedahero Avatar asked Oct 15 '25 10:10

ineedahero

1 Answers

Just like the User-Agent header, it is provided by the client and can contain literally anything.

It is not at all reliable for any server-side security check.

like image 75
Narf Avatar answered Oct 17 '25 00:10

Narf
Sign in to Comment

Related questions

Local virtual hosts show Privacy Error on Chrome due to HSTS
Why is the hash generated by BCrypt non-deterministic
Best practice to SSL Pinning in Flutter, fetch the certificate every time? or storing it in assets?
session not shared between two server
Integrating OWASP Dependency-Track into GitLab CI/CD Pipeline
Is the HTML5 property contenteditable secure?
Is JWT really safe to use in iOS Swift apps? [duplicate]
How to prevent SQL injection and improve security on REST APIs?
/gs option causing program to throw exception
What are Secure Access Modules (SAM) needed for?
Do I need CSRF-protection without users or login?
Import existing private key into BKS Keystore
RoR: undefined method `http_basic_authenticate_with'

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!