Missing CSRF token on request to /cdn-cgi/zaraz/t

thomas32 · May 1, 2023, 5:08pm

I have added Zaraz to my website and included a couple of scripts this way. Everything is working fine. I see requests made to /cdn-cgi/zaraz/t in the console for event tracking etc. I’m using some penetration test software that complains that the requests to /cdn-cgi/zaraz/t don’t include a CSRF token. I know that this is not an error with Zaraz or anything. But does anyone have an idea of how to include this token from my web app? I would only do this to make the penetration test software not flag this so it won’t improve security at all.

I tried to include this on all pages but doesn’t seem to work:

XMLHttpRequest.prototype.origOpen = XMLHttpRequest.prototype.open;
XMLHttpRequest.prototype.open = function (method, url) {
    this.origOpen.apply(this, arguments);
    if (url === '/cdn-cgi/zaraz/t') {
        this.setRequestHeader('__RequestVerificationToken', 'bla');
    }
};

WalshyMVP · May 1, 2023, 6:03pm

You do not need a CSRF token for Zaraz and adding some arbitrary token isn’t something I’d recommend at all.

Just ignore the warning or mark it as a false positive if you can.
It’s more effort than it’s worth and you may just cause things to break either now or in the future.

thomas32 · May 2, 2023, 5:00am

Agree, this is a terrible “hack” and only done to accommodate for the pen test software not having a way to mark things as false positives. Only looking for suggestions and if something really clever appeared, I might want to do it.