I have very little knowledge in application security. I have often seen to protect your application from csrf attacks developers use tokens and pass these tokens with request to validate. I want to know if i just validate the request is coming from my server and rejects all requests coming from any other server how can it be unsafe?
1
You cannot know where the request is coming from for sure. Sure, you can check the HTTP referer, but that has implications as well.
Many users have set their browsers to not supply the server with the referrer, so you will get rubbish data. If you don’t allow empty referrers you will block a lot of legitimate requests. If you allow empty referrers, then all those that have set their browser to not send referrer can be a victim of CSRF.
So rejecting requests based on this will get you nowhere.
Edit: It’s called ‘HTTP referer’, a misspelling of the word referrer.
2