Security: In General, is Using Content-Type Enough to Prevent CSRF?

Question

As the question asks, I have a generic website using Jetty and I'm being asked for CSRF protection.

If I have a form:

<form action="http://somedomain.com/somepage">
    <input ....>
</form>

My question: If somepage only accepts content-type: application/json, is this enough to prevent CSRF? I am sure I have to generate a unique token per user. However, how would someone be able to violate CSRF if only protection is done by way of content-type?

Answer 1

Short answer: Probably

Long answer: Don't bank on it.

See this question for a more complete explanation, but while content type checking works today, you can get pretty close by posting valid JSON as text/plain which may be incorrectly parsed by some backends.

Additionally, if enctype='application/json' ever becomes valid HTML, your whole system is pooched.

While it's a great first step, if you really want to protect against CSRF attacks, implement a proper CSRF token system.