To secure AJAX requests and responses, developers should use techniques such as setting appropriate HTTP headers, using CSRF tokens and implementing authentication mechanisms.

Of the 12 popular AJAX frameworks investigated by Fortify, only one—DWR 2.0—is designed to prevent malicious scripters from exploiting potential CSRF vulnerabilities.

A bit more snooping around uncovered that the AJAX eval () preview script wasn’t secured by a CSRF token which could easily be exploited by a malicious hacker.