If I have:
- A web front-end on one domain.
- A REST API on another domain.
- The REST API server configured to only allow cross origin requests from the web front-end domain by setting header
Access-Control-Allow-Origin
to the web front-end domain.
Aside from more hoops to jump through, what additional security does CSRF provide? Attackers can't POST
to my backend without first injecting their code into the web front-end, right?
On this question, Chris Pratt said, "[...]So, yes, I think as a rule any API view should be CSRF exempt.[...]"
. Is that concept valid and does it include my topology?
In my configuration, with CORS properly configured, do I need to decorate GET
, POST
, PUT
, DELETE
requests coming from the web front-end with the Cookie and the data element CSRF token?
Meta:
Enlightened individuals may see this question as a duplicate, but I have read this,
this,
this,
this,
this,
this,
and this,
and I still need some help. Please help me flesh this idea out more.