Prevention Measures

There are many approaches to preventing CSRF. The security measures implemented by this middleware are:

Referer checking

When running under HTTPS - which you 100% should be doing in production, then most browsers send origin and / or referer headers (source).

This is used to detect if requests are coming from a different domain.

Same Origin Cookies

This is a relatively new feature designed to prevent CSRF attacks, which is already supported by most evergreen browsers. If all browsers supported it, there would be no need for any of the other CSRF preventions outlined above, but until then we employ a defence in depth strategy, and use a combination of prevention strategies to protect older browsers.

The session cookies provided by Piccolo API are same origin.