CSRF protection with custom headers (and without validating token)
For a REST-api it seems that it is sufficient to check the presence of a custom header to protect against CSRF attacks, e.g. client sends
“X-Requested-By: whatever”
and the server checks the presence of “X-Requested-By” and drops the req…