I know that Codeigniter has a very useful security class which can prevent CSRF/XSRF if you use the form helpers, but since the CI url structure calls a lot of functions pretty much directly, how can I prevent CSRF for things like /action/logout without having an additional confirmation form like SE has?
Ideas I've had:
<img src="http://example.com/action/logout" />)I won't bother protecting things like /account/view/1/cyclone/ since it doesn't perform an action and would at most be a waste of bandwidth.
Granted, I do know that some people like to code things to automate their website usage and I respect that, which is why I'll be creating an API for performing actions via code or automatically.
As a general rule, any form request that performs an action should use POST. For all else GET is permitted. Using POST will definitely help. I believe you can also include the token as a hidden field in the form instead of an ugly string in the URL. As for checking the requested MIME type, this is not possible. Do a print_r($_SERVER) and in there is basically everything you get from the user as well as server side stuff.