CSRF Protection for Refresh Token Cookie in SPA
As far as I know the best way to do this is when server renders index.html with the CSFR token inside and after that you function as standard AngularJS SPA. So the index.html
is then enriched with CSFR token generated by backend service / framework. SpringSecurity provides nice support for this injecting tokens to the templates.
After that, you can get the token from the template with javascript and set it to all your $http
requests in headers by using httpInterceptor
's, request
hook. (or cookie)? I don't remember clearly whats the proper way but I am sure it is described in articles you mentioned above)