Comment by simonw

13 years ago

That's not a good enough solution - there are decent reasons that a referrer header might be missing (some PC antivirus software strips out referrer headers for example). The only safe way to handle this is with a POST request protected by a CSRF token tied to a cookie.

2 comments

simonw

hashbo 13 years ago

+1 You can’t trust the Referer header.

jpablo 13 years ago

GET with randomized ids and checking referrer should be good enough to keeps things simple.