A couple of months ago, I received a request from a random Internet user to add CSRF protection to my little web framework Microdot, and I thought it was a fantastic idea.When I set off to do this…
I had the same thought here, but it’s really just poorly stated, not wrong.
The assumed context here is prevention of Cross-Site Request Forgery, which is a specific type of attack that only OCCURS via browsers, or similarly-trusted clients. In other words, attacks where this header is being forged by a non-browser client are mitigated by other security measures, such as authentication tokens.
I had the same thought here, but it’s really just poorly stated, not wrong.
The assumed context here is prevention of Cross-Site Request Forgery, which is a specific type of attack that only OCCURS via browsers, or similarly-trusted clients. In other words, attacks where this header is being forged by a non-browser client are mitigated by other security measures, such as authentication tokens.