I am trying to implement CSRF protection using CSRF token in one of my projects. I am new to this and was reading about sending CSRF token in a request to the server and found out that sending CSRF token as HTTP POST is recommended over GET. My question is:
If HTTP URL exposes the CSRF token in GET request, and the potential attacker can create the CSRF request using this CSRF token and attack using Javascript, then why can't he do the same when the CSRF token is stored as hidden field in a form? If my site has XSS vulnerability, then the attacker can get the token from hidden field and send the request along with that token.
Thanks in advance !!