Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is referer still worth it to prevent CSRF? They seem to be using a CSRF token in their <form> and that should be all that's needed from what I understand..

  Forbidden (403)
  
  CSRF verification failed. Request aborted.
  
  You are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties.
  
  If you have configured your browser to disable 'Referer' headers, please re-enable them, at least for this site, or for HTTPS connections, or for 'same-origin' requests.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: