Disallowing Javascript does NOT protect you against CSRF—“Press button to see kittens” form works without any Javascript. The right solution is server-side—auth tokens for all cookie-validated write forms.
Disallowing Javascript does NOT protect you against CSRF—“Press button to see kittens” form works without any Javascript. The right solution is server-side—auth tokens for all cookie-validated write forms.