Protecting your Drupal module against Cross Site Request Forgeries
Cross Site Request Forgeries (CSRF) are the 3rd most common vulnerability in Drupal and yet they are quite easy to protect against. The precise solution depends on where the problem is, but is never too complex to implement. To start, of course, we need to understand what CSRF actually is.
This article is now part of the Knowledge Base of Drupal security articles on Drupal Scout.
Read the rest of Protecting your Drupal module against Cross Site Request Forgeries
This page is kept so the comments posted here are available since they provide additional help and insights.
Comments
Submission
Provided you only take "actions" in the submit handler (or if you know it ran already). #576276 is a proposal to prevent accidents with validation handlers.
I've recently moved to expose
I've recently moved to expose modifying actions exclusively as forms for exactly the http accelerators you mention. The off-chance that an important site configuration goes bye-bye because somebody visits the site with an accelerator enabled is still scary (Here's a post from '05 by 37 signals reporting how Google Web Accelerator nuked Backpack pages ).
Thank you for the writeup!
W3 guidelines for handling arguments
There's also the issue that you shouldn't be using GET arguments for manipulating, especially deleting, data. Remember the snafu in 2005 when Google's Accelerator engine started causing problems on sites that had all of these Delete actions available as just standard links (with / without JS "confirmation") rather than via POST arguments (i.e. a form submission)? This seems like part of the same problem - you shouldn't be doing destructive actions by using GET arguments.
D7 GET protection
There's an issue now for Drupal 7 to add token support in url(), l(), and hook_menu(). http://drupal.org/node/755584
Some tips.
I recently read through this article to deal with some cross request stuff in general and found it to be quite helpful. It helped me think outside the realm of Drupal a little bit which helped. Lemme know what you think.
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet