Are RESTful sites safe against CSRF attacks?

Same-origin policy doesn't allow to JavaScript or similar receive response of sent requests outside your host !

In computing, the same-origin policy is an important security concept for a number of browser-side programming languages, such as JavaScript. The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number1 – to access each other's methods and properties with no specific restrictions, but prevents access to most methods and properties across pages on different sites.1 Same-origin policy also applies to XMLHttpRequest and to robots.txt.


Your application is Ajax but it can be vulnerable to CSRF (if you don't check content-type or adding unsafe Same-origin policies).

If you don't check content-type, attacker can send this request with normal form, like this :

<form name="x" action="http://site/index" enctype="text/plain" method="post">
  <input type="hidden" name='{"fname":"abe","lname":"m","company":"comp","email":"[email protected]","Junk":"' value='Noting"}'>
</form>
<script>document.x.submit();</script>

The simple answer is no, RESTful sites are not "inherently" safe against CSRF attacks. There is nothing about being RESTful that prevents CSRF because CSRF doesn't require REST to work. Think about session fixation, which can be one form of CSRF. If I can fix your session ID then I can begin executing requests as you, RESTful or not. Also, don't be confused either by the first part of CSRF and XSS (cross-site) because an attack does not need to occur from one primary domain to another in order to be CSRF or XSS. It is a bit of a misnomer that confuses people when trying to protect against these types of attacks. Just because you don't rely on the referer or you set a strict same domain origin policy doesn't mean you still aren't vulnerable to CSRF.