CSRF Serverside Protection Ideas.

CSRF is troublesome. And generally it's hard to protect against on a broad scale, because it can appear in almost anything the net offers. I had the idea of blocking malicious referer requests. Something similar is done to protect a web server against hotlinking images remotely. I wrote this only to explore the possibilities. Along properly generated unique tokens, we can do a quick scan on Apache first. So what we can provide for, is to check the malicious referer, and then also check the request method, and the query string. Those all are being "requested" in GET. Since the Google Adsense CSRF exploit I talked about last time, this could have protected them. Because that exploit worked on GET. GET requests are the easiest ones to trick a user into, and therefore dangerous. Since most posted form data can be used in GET as well, we would like to block such attacks. Or limit them where we can. In this example I do just that, but I also send them to a special page where all set or "getted" variables and cookies are being destroyed. Then users get send back to the index to re-login again, mitigating most CSRF attacks. It may help in defining your own perimeters. And so we can utilize this to protect files that are being requested from other servers. As with all good things in life, this has a downside. If the referer string is not send along the browser, it fails. But if users have their referer turned on, this might work well. On the other hand it is easy to provide a mechanism for that as well. Just deny any request to files beyond the index. But, that in turn might be too strict for many so I did leave that out. Of course I rather would have anyone just open a site on it's index, but the web doesn't work that way. Isolating servers is tough and basically we are screwed and doomed to develop some "hacks". RewriteEngine OnOptions +FollowSymLinksAddType application/x-httpd-php .php .xkill# only allow nice people.RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]RewriteRule ^(.*)$ deny.xkill [NC]# redirect them to a page that reset all request variables:# where the .xkill is a new mime-type we added that is being treated as PHP to reset/log variables.# you might want to change the prefix for sub domains.RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yourwebsite\.com/ [NC]RewriteRule .*\.(php|asp|jsp)$ deny.xkill [NC]# additionally we can make sure that no crazy stuff get's requested.# basically remote file inclusion works the same as CSRF, so we deny filenames.RewriteCond %{QUERY_STRING} ^(.*)('|<|>|/|\.a|\.c|\.t|\.d|\.p|\.i|\.e|\.j)(.*) [NC]RewriteRule ^(.*)$ deny.xkill [NC]These are some ideas. It is also possible you want to block access to certain single files you may fear that could be exploited someday. That can be a good option because it won't break all the functionality of the