As the question asks, I have a generic website using Jetty and I'm being asked for CSRF protection.
If I have a form:
<form action="http://somedomain.com/somepage">
<input ....>
</form>
My question: If somepage only accepts content-type: application/json, is this enough to prevent CSRF? I am sure I have to generate a unique token per user. However, how would someone be able to violate CSRF if only protection is done by way of content-type?
Short answer: Probably
Long answer: Don't bank on it.
See this question for a more complete explanation, but while content type checking works today, you can get pretty close by posting valid JSON as text/plain which may be incorrectly parsed by some backends.
Additionally, if enctype='application/json' ever becomes valid HTML, your whole system is pooched.
While it's a great first step, if you really want to protect against CSRF attacks, implement a proper CSRF token system.