Is an X-Requested-With header server check sufficient to protect against a CSRF for an ajax-driven application?

Question

I\'m working on a completely ajax-driven application where all requests pass through what basically amounts to a main controller which, at its bare bones, looks something li

Answer 1

No this can be easily bypassed , By making A Cross-domain-Flash request to the server that contains this header and the request with it's credentials , see this : https://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash/?unapproved=6685&moderation-hash=91554c30888cfb21580f6873e0569da0

The best way to protect against CSRFs is to make Header or Parameter contains a secret key for each request ,