5,337
edits
Line 32: | Line 32: | ||
This it is important for the backend to check the XSRF key against one that other websites cannot read. | This it is important for the backend to check the XSRF key against one that other websites cannot read. | ||
If you send the XSRF token in a cookie and a hidden form field, this will not require any JS since the browser will automatically repeat the hidden form field. | If you send the XSRF token in a cookie and a hidden form field, this will not require any JS since the browser will automatically repeat the hidden form field. | ||
However, you need to make sure no CORS header is sent otherwise other websites will be able to read the XSRF token sent in the hidden form field. | However, you need to make sure no CORS header is sent otherwise other websites will be able to read the XSRF token sent in the hidden form field. | ||
E.g. | E.g. |