可以“x-requested-with” http标头是欺骗？ [英] Can the "x-requested-with" http header be spoofed?

问题描述

我的研究表明，只有Host，Referer和User-Agent标头可以被欺骗。
（来源）

My research shows that only the Host, Referer, and User-Agent headers can be spoofed. (source)

这是一个正确的假设吗？我正在建立的网站的安全性可能要求x-requested-with不能伪造。这远非理想，但可能是我唯一的途径。

Is this a correct assumption to make? The security of a site I am building may require that "x-requested-with" cannot be faked. This is far from ideal but may be the only avenue I have.

推荐答案

a的安全性网站我正在建设
可能要求x-requested-with
不能伪造

The security of a site I am building may require that "x-requested-with" cannot be faked

HTTP中的任何内容都可以被欺骗。 欺骗性的程度很难确定。使用我想要的任何标题值来制作请求是相当简单的。

Just about anything in HTTP can be spoofed. The level of 'spoofability' is hard to determine. It's fairly trivial to craft a request with any header value I desire.

如果这是你唯一的选择，那就这样吧，但我不想使用依赖它的网站来做任何重要事情。

If it's your only option, so be it, but I wouldn't want to use a site that relied on it for anything important.

这篇关于可以“x-requested-with” http标头是欺骗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！