[ec109685]

This is FUD:

> Hence the banking server or generally web application servers will most likely simply execute any action received and allow the attack to launch.

While these are useful headers, there are protections today via XSRF tokens to prevent these attacks that all major sites implement, so it isn’t likely your bank is vulnerable.

[aj3]

It's not FUD. There are protections, but csrf tokens are a workaround while these headers are more akin to proper solution. Also, it won't magically make CSRF obsolete same way Origin header and CORS didn't make CSRF obsolete, but it's another tool in the appsec toolbox.

[ec109685]

It is FUD. They claim your bank website is most likely susceptible to this attack. It is not.