If my Ajax requests set a X-Requested-With header, can I just skip the CSRF check if this header is present? Can I be sure it cannot be forged (with the user session)?
+1
A:
As long as you don't have a wide open crossdomain.xml (you might have this b/c you host flash content on you site?) or your visitors have old browsers; you should be rather safe. Though I would recommend the use of a "crumb"-token (random value in cookie and the same value in the requests). This b/c flash may set the X-Requested-With and I think that old IE versions allow you to do too (not sure on this one though).
With "can I just skip the CSRF check" I assume you refer to this crumb/token? B/c checking X-Requested-With is a way of checking against CSRF.
Since this header is optional browsers may not always send it, and according to this page they seem to not do it over SSL.
MyGGaN
2010-03-05 00:39:08