A major puzzle, how to effectively prevent CSRF attack

Online there is a way to use
$_server[' Http_referer ']
But the article also points out that
Referer can be forged.
For example
Header ("referer:www.aaa.com")
......
?>
I tried it, it looks like I sent it in the console to see that the referer is changing.
But $_server[' http_referer ' is empty, which means it doesn't seem to be a problem.
Well, what about this parameter? Can you prevent it?

Reply to discussion (solution)

CSRF leverages trusted Web sites by disguising requests from trusted users

It is obviously not possible to use $_server[' http_referer ', because it can be forged (as you know)
For forms, you can place an instant random string (token) or verification code
For normal pages, you can get a passphrase via Ajax (because Ajax is not cross-domain, and it is difficult to simulate JS behavior)
You can also pass additional cookie variables through the post-loaded objects (slices, JS files) on the page.
Passive defense, you can filter out non-known connections in the page

$ch = Curl_init (); $opts = Array (curlopt_url =    ' Http://your web/test.php ', Curlopt_returntransfer = True, Curlopt_referer   = ' http://spider.baidu.com/',//forge referercurlopt_httpheader   = = Array ("Expect:",),) ; Curl_setopt_array ($ch, $opts); $s = curl_exec ($ch);

The refer you got in the ' Http://your web/test.php ' script is the spider.baidu.com.
It's supposed to mean that.

You Baidu Curl simulation landing a lot of relevant information. PHP actual QQ Group: 33918040

OK, I'll study the research again ~ ~

