Is an X-Requested-With header server check sufficient to protect against a CSRF for an ajax-driven application?

Question

I\'m working on a completely ajax-driven application where all requests pass through what basically amounts to a main controller which, at its bare bones, looks something li

Answer 1

I do not think this offers any kind of protection. An attacking site could still use xmlhttprequest for its cross-site request bypass your check.