Sorry... What is CSRF?
I'm writing a set of Java clients for popular exchanges and for the last two days I've been debugging communications with the TradeHill API. The error message has been ....
Forbidden 403
CSRF verification failed. Request aborted.
TradeHill says that they will look into their django server configuration regarding a possible fix that I found on the internet.
CSRF is an acronym for Cross Site Request Fraud, and what the original poster wants is for bitcoin financial web sites to enforce security so that someone else cannot hijack your session with the web site. CSRF is a protocol in which the server sends to you a certain random token and which your client, e.g. web browser returns to prove that you are the same entity that originally started the session.
For example, TradeHill sends to me the following HTTP header when I perform an HTTP against their API URL at
https://api-test.tradehill.com/APIv1/USD/GetBalance ..
Set-Cookie: csrftoken=35d13f0f2708ee17b0834719b902ad65; Max-Age=31449600; Path=/ <== GENERATED BY TRADEHILL, UNIQUE FOR EACH SESSION
My subsequent API request must specify that token when performing an HTTP POST, e.g. ...
X-CSRFToken: 35d13f0f2708ee17b0834719b902ad65 <== PROVES THAT I ORIGINATED THE SESSION
