I have two applications one is an Angular front end, the other is a backend API.
The Urls for these apps look like so:
When using CSRF it appears to treat the two URLs as different domains and so does not set the CSRF cookie on the frontend. Subsequently, all frontend API requests fail as no CSRF token is returned.
Following a suggestion I read online somewhere I've tried the following:
app.use(csurf({
cookie: {
domain: environment.COOKIE_DOMAIN,
httpOnly: true,
secure: true
}
}));
...
and my environment variables look like so:
export const environment = {
production: true,
COOKIE_DOMAIN: ".mydomain.com", // where mydomain is my actual domain
...
However it still fails and I'm not sure what I should not try.
