A good reason is for security – this can prevent CSRF attacks because this header cannot be added to the AJAX request cross domain without the consent of the server via CORS.
Only the following headers are allowed across origins:
- Accept
- Accept-Language
- Content-Language
- Last-Event-ID
- Content-Type
any others cause a “pre-flight” request to be issued in CORS supported browsers.
Without CORS it is not possible to add X-Requested-With to a cross domain XHR request.
If the server is checking that this header is present, it knows that the request didn’t initiate from an attacker’s domain attempting to make a request on behalf of the user with JavaScript. This also checks that the request wasn’t POSTed from a regular HTML form, of which it is harder to verify it is not cross domain without the use of tokens. (However, checking the Origin header could be an option in supported browsers, although you will leave old browsers vulnerable.)
New Flash bypass discovered
You may wish to combine this with a token, because Flash running on Safari on OSX can set this header if there’s a redirect step. It appears it also worked on Chrome, but is now remediated. More details here including different versions affected.
OWASP Recommend combining this with an Origin and Referer check:
This defense technique is specifically discussed in section 4.3 of Robust Defenses for Cross-Site Request Forgery. However, bypasses of this defense using Flash were documented as early as 2008 and again as recently as 2015 by Mathias Karlsson to exploit a CSRF flaw in Vimeo. But, we believe that the Flash attack can’t spoof the Origin or Referer headers so by checking both of them we believe this combination of checks should prevent Flash bypass CSRF attacks. (NOTE: If anyone can confirm or refute this belief, please let us know so we can update this article)
However, for the reasons already discussed checking Origin can be tricky.
Update
Written a more in depth blog post on CORS, CSRF and X-Requested-With here.