Should CSRF protection be used for anonymous users, or does that defeat its purpose?
I have a URL that can be accessed anonymously. When the URL is accessed with the appropriate information, some values are updated in my database. For example, a client can place some code on their order confirmation page that will make a POST request to http://example.com/save-request
with the following data sent:
{orderId: 1234, referralCode: 'ABCDEF'}
When I receive this request, I update the given order in my database with the referral code:
$order = Order::find(Input::get('orderId'));
$order->referral_code = Input::get('referralCode');
$order->save();
I am trying to protect this URL from abuse so that a user can't send requests for random Order IDs and try to get their referral code associated to them.
CRSF protection comes to mind, but that would mean I need to first fetch the token, which would require another public URL. It seems like that would make it slightly harder for abuse, but still possible since the abuser can simply fetch a token, and then make requests as normal.
Are there any strategies to protect against this sort of abuse?