0

I have completely separated my front ui and my back-end, since I may move to another implementation for either one in the future. As such, my backend runs on Laravel from /api/ and my front runs on AngularJS from /index.html.

Is there a way I can generate a csrf token from Laravel to use in the backend? My problem is as I said: I cannot use csrf_token() since the Laravel app is in a completely separate folder.

Kousha
  • 32,871
  • 51
  • 172
  • 296
  • Isn't it just a matter of including the csrf_token in your JSON (i suppose) response? – jah Jul 22 '14 at 01:15
  • If you want to keep the two completely separated, then you're missing the original purpose of CSRF. See http://stackoverflow.com/questions/10741339/do-csrf-attack-worries-apply-to-apis – Aken Roberts Jul 22 '14 at 01:19
  • Oh I see. I don't know why I didn't think of that. So basically since I do want to allow 3rd party API calls, then I am not to use CSRF at all! – Kousha Jul 22 '14 at 01:22
  • That's correct - no CSRF required. **However**, you do need some sort of authentication (or other protection) to be sure that requests are coming from your AngularJS application and not from some random third-party who's figured out how to send requests to your API. – Kryten Jul 22 '14 at 14:33
  • @Kryten: It's been a while now, maybe you remember this one. Do you have any suggestion for the 'other protection'? Kousha: What did you end up with? – hogan Nov 03 '15 at 18:57

0 Answers0