I currently have a browser based, single page web app with a rails backend. The ember app reads the CSRF token from the meta tag outputted by rails and sets it in the http headers of each ajax request.
Now, I'm building an iOS app which will talk to the same API but I don't want to disable the CSRF token because it will open up vulnerabilities in the browser. I've read lots of different SO posts and articles about this but am still unclear as to the best way to do this.
Here's what I'm planning to do:
- Open up unauthenticated API requests to not require a CSRF token
- Pass the CSRF token back on successful login request so that iOS client can use it in the http headers of subsequent requests
- For browser app, continue to read CSRF from meta tag and put in http headers
Is this a suitable approach? Is it ok to not have CSRF token for unauthenticated requests?
Thanks
