Is server side CORS protection enough to mitigate CSRF attacks against stateless APIs?
Assume an Angular SPA application on www.example.com that works invoking an API over that same domain www.example.com/api/…
The Angular app gets a session cookie and sends it in each API call.
The usual CSRF attack would try to execute a… Continue reading Is server side CORS protection enough to mitigate CSRF attacks against stateless APIs?