security - Which code i should return when request doesn't pass cross site forgery attack validation -

i filter http requests referrer field prevent cross site forgery attacks. know bad idea , use asp.net mvc built-in anti-forgery mechanism our customer has special security utility checks cross-site forgery attacks change referrer field of http request.

my question need when receive domain not allow? http code return , page should show user?

should custom page 404 not found or redirect main page?

what common practice?

"403 forbidden" , provide html body directing users home page.

an attacker can't see status code of csrf attack during post (due same origin policy) http code of no consequence apart serving inform real users.