{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 神经病院院长 的问题《Is it a good practice to store the csrf token in m》','https://www.manongdao.com/q-504701.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
If I make a POST request without using form and want to prevent CSRF attack, what I can do is to set the csrf-token in meta tag and put it back to the header when the request is triggered. Is it a good practice?
<meta name="csrf-token" content="xxx">
Put the token back via the header, using JQuery for example:
$.ajaxSetup({
headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
});
Yes this is good practice. If you are using ajax I think this is the cleanest solution.
You could also put the token inside of the form (which is more convenient if submitting the whole form), but if you are using ajax, it just needs to go somewhere that you can grab it.
in a hidden field, or in a meta tag are both very good options.