Is an X-Requested-With header server check sufficient to protect against a CSRF for an ajax-driven application?

Question

I\'m working on a completely ajax-driven application where all requests pass through what basically amounts to a main controller which, at its bare bones, looks something li

Answer 1

Short answer : no. Any attacker would just use Ajax himself to attack your website. You should generate a random token with a short but not too much lifetime which you would update during each ajax request.

You'd have to use an array of tokens in javascript as you may have multiple ajax request running at the same time.