That's not a good enough solution - there are decent reasons that a referrer header might be missing (some PC antivirus software strips out referrer headers for example). The only safe way to handle this is with a POST request protected by a CSRF token tied to a cookie.
This doesn't really apply when you are trying to verify whether the client actually performed some action.
In a CSRF scenario, the client itself can presumably be "trusted" - A client behaving maliciously can only hurt itself, not any one else. The important thing is to not trust anything that may have been provided by a third party.
That's not a good enough solution - there are decent reasons that a referrer header might be missing (some PC antivirus software strips out referrer headers for example). The only safe way to handle this is with a POST request protected by a CSRF token tied to a cookie.
+1 You can’t trust the Referer header.
GET with randomized ids and checking referrer should be good enough to keeps things simple.
Really? I block the referer header so I guess all my upvotes haven't been counted. :(
The referer header is also controlled by the client. Anything controlled by the client should be considered tainted.
This doesn't really apply when you are trying to verify whether the client actually performed some action.
In a CSRF scenario, the client itself can presumably be "trusted" - A client behaving maliciously can only hurt itself, not any one else. The important thing is to not trust anything that may have been provided by a third party.