A little while back I read about how WordPress was implementing Nonce to help enhance security. What I like about this technique is that it doesn’t rely on referrer checking (which is faulty at best).
Today I implemented that on a project I’m working on, rather similar in style to WordPress. I think overall it’s a better approach to referrer checking. It seems the nonce approach is actually quite popular on the web looking at commercial sites, but not a technique often talked about.
Well done by the WordPress team. My implementation is pretty similar to theirs (my variables and salting is a little different based on the app) since it was pretty hard to improve upon. Not sure how long to make the Nonce, so I stuck with 10, which is what I believe they did as well. Not sure if I should go with something longer.
One of the great things about open source is the discussion of best practices and techniques. It also benefits closed source projects who can gain influence and knowledge from those discussions.