检查引用是有问题的。首先，HTTP规范特别允许客户端不发送引用字符串（各种隐私的原因）。所以，你的一些客户可能不包括它。其次，引荐字符串可以伪造，在足够的技能的攻击者就可以使它们看起来像他们所需要的是为了开展成功的CSRF攻击。

Checking the referrer is problematic. First of all, the HTTP specification specifically allows for clients to not send referrer strings (for various privacy reasons). So, some of your clients may not include it. Second, referrer strings can be spoofed, where an attacker of sufficient skill can make them look like what they need to be in order to carry out a successful CSRF attack.

使用CSRF验证令牌是个要强的做法，反对CSRF攻击mitigiation的preferred方法。您可以了解为什么这是在OWASP CSRF小抄。

Using a CSRF validation token is a stronger approach and is the preferred method of mitigiation against CSRF attacks. You can read about why this is on the OWASP CSRF Cheat Sheet.

我也指出，没有任何理由，你为什么不能两者都做。防御深度（DID）的策略，通常希望，使攻击者需要击败多个独立的，防御执行一次成功的攻击。你可以实现一个弱引用检查办法（如果引荐由客户提供，确保它是它应该是什么作用于请求之前;如果引用不是present，继续就好像它是$用CSRF验证令牌沿p $ psent和正确的）。这样一来，你检查提到的信息，如果客户端提供它同时还利用更强的验证令牌的方法。

I will also point out that there is no reason why you cannot do both. A Defense-In-Depth (DiD) strategy is usually desirable, so that an attacker would need to defeat multiple, independent, defenses to execute a successful attack. You could implement a weak-referrer-checking approach (IF a referrer is provided by the client, make sure it is what it should be before acting on the request; if the referrer is not present, proceed as if it were present and correct) along with a CSRF validation token. That way, you check the referred information if the client provides it while still making use of the stronger validation token approach.