Why bother requiring CSRF token on POST requests?

Question

My understanding is that CSRF prevents an attacker using an tag to get the victim\'s browser to send a request that would be authenticated using the

Answer 1

Cross Site Request Forgery is when a site (let's say evil.example.com) can force a visiting user to make requests to another site (let's say example.com). It's not really forcing a user since embedding a image that (HTTP GET request) or POST request via form submission or javascript is not that difficult.

1. You should not make state or data changes via HTTP GET requests. img tags (get request) shouldn't be able to make any kind of change what so ever. If you allow this ... stop it. :)

2. POST requests need to contain a value that is not guessable by a remote attacker. Typically this is a per request random value.

So yes, CSRF is a a demonstrated, known vulnerability that you should bother protecting against.