3

The x-requested-with header is kind of confusing to me. I know it can be used to defend against CSRF attacks, and that it is used to identify Ajax calls...but what is it really?

It just tells you what the request was...requested with?

Could there ever be a reasonable situation in which the header is present but set to some value other than "XMLHttpRequest"? I would imagine so, but I've never seen it set to anything else.

ineedahero
  • 438
  • 1
  • 6
  • 20

2 Answers2

1

Just like the User-Agent header, it is provided by the client and can contain literally anything.

It is not at all reliable for any server-side security check.

Narf
  • 14,118
  • 3
  • 35
  • 63
  • 2
    Not reliable for any security check? http://stackoverflow.com/questions/17478731/whats-the-point-of-the-x-requested-with-header – ineedahero Dec 06 '16 at 19:03
  • CORS is a client-side mechanism, working inside browsers. That means is that for you to consider it reliable, you have to *assume* that each of your visitors has a modern, up-to-date browser. In some cases that is acceptable ... I guess I went overboard with saying "any"; I really meant "any server-side". – Narf Dec 06 '16 at 19:13
  • 1
    Hmm. Interesting. You also said the header could be "anything". Can you think of any (non-malicious) situations in which it wouldn't be 'XMLHttpRequest'? Or is it just always 'XMLHttpRequest' in practice (despite whatever it could be in theory)? – ineedahero Dec 06 '16 at 19:37
  • 1
    Sure ... Popular JS frameworks set it to that value when doing AJAX requests, only because there's no other way to tell you that it is an AJAX request - 'XMLHttpRequest' has become the de-facto standard value for that indication. But if you build an HTTP client that does something specialized like that, you can set it to another value, even if just for logging purposes. – Narf Dec 06 '16 at 19:42
  • In other words - yes, it is only used so that the client can tell you how they made the request. – Narf Dec 06 '16 at 19:43
0

Android sets X-Requested-With to the package ID of the app, for third-party apps that use the WebView component to embed a browser into their UI.

Presumably this could be used for debugging and/or statistics, but the values cannot be trusted because it would be possible for an attacker to write a custom client that sets it to anything just to try to break your server.

Silas S. Brown
  • 1,109
  • 1
  • 12
  • 16