Can the "x-requested-with" http header be spoofed?

views:

1003

answers:

+3 Q:

Can the "x-requested-with" http header be spoofed?

My research shows that only the Host, Referer, and User-Agent headers can be spoofed. (source http://download2.rapid7.com/r7-0026/ )

Is this a correct assumption to make? The security of a site I am building may require that "x-requested-with" cannot be faked. This is far from ideal but may be the only avenue I have.

+6 A:

Every header can be spoofed. Any header that starts with x- is non-standard.

some 2009-03-08 09:18:41

+11 A:

The security of a site I am building may require that "x-requested-with" cannot be faked

Just about anything in HTTP can be spoofed. The level of 'spoofability' is hard to determine. It's fairly trivial to craft a request with any header value I desire.

If it's your only option, so be it, but I wouldn't want to use a site that relied on it for anything important.

Greg Dean 2009-03-08 09:18:52

no problem, good luck

Greg Dean 2009-03-08 09:59:38

just to wrap up, i obviously couldnt continue with the problem i faced, but after some major ( MAJOR! ) refactoring today ive managed to implement a system that is far more secure. thanks everyone.

jdee 2009-03-08 20:00:21

ansaurus

tags:

views:

answers:

Can the "x-requested-with" http header be spoofed?

related questions