I want to protect my application against csrf. Although I couldn't really understand what the problem is and how my solution works, after some research I came up with a solution, which Angular uses. As far as I got, my solution requires following steps :
--> client request for my spa
--> I send csrf token (not httponly so that js will be able to read it). I also save this csrf token to user session on server.
--> for every post request I want my client to read csrf token and set X-XSRF-TOKEN header to this token.
--> I ll check every request by checking request header and user session csrf token. If matches, I ll also check jwt for authentication if I need.
--> After validating csrf token, I ll make changes to database. Also I ll change csrf token again, send new token to user, change token for the session.
But I am not sure how this helps, If I have a xss vulnerability, any injected javascript code also can do the same. I want to understand the problem and how such a solution helps. Thanks.
FYI. I am also implementing JWT based authentication, using redis for session management, on express server.
