How to effectively prevent CSRF attacks

One of the major puzzles is how to effectively prevent CSRF attacks.
$ _ SERVER ['http _ referer']
However, some articles have pointed out that
Referer can forge
For example
Header ("referer: www.aaa.com ")
......
?>
I tried it. it seems that the referer changed when I sent it using the header on the console.
However, $ _ SERVER ['http _ referer'] is empty, indicating that it seems no problem.
So what if this parameter does not work? Can it be prevented?

Reply to discussion (solution)

CSRF uses trusted websites by disguising requests from trusted users

Therefore, it is obviously impossible to use $ _ SERVER ['http _ referer'] because it is forged (you know)
For forms, you can place a random token or verification code that is instantly issued.
For common pages, you can obtain a common word through ajax (because ajax is not cross-origin and it is difficult to simulate js behavior technology)
You can also pass additional cookie variables through objects loaded in the middle and late stages of the page (such as slice and js files ).
In passive defense, you can filter out non-known connections on the page.

$ Ch = curl_init (); $ opts = array (CURLOPT_URL => 'http: // your web/test. php ', CURLOPT_RETURNTRANSFER => true, CURLOPT_REFERER => 'http: // spider.baidu.com/', // counterfeit token => array ("CT :",),); curl_setopt_array ($ ch, $ opts); $ s = curl_exec ($ ch );

The refer you get in the 'http: // your web/test. php' script is the spider.baidu.com.
This is what spoofing means.

Your Baidu curl simulated login many related information. PHP practice QQ group: 33918040

OK. I will study it again ~~