Hello,
Default router pipelines include:
pipeline :browser do
plug :accepts, ["html"]
plug :fetch_session
plug :fetch_flash
plug :protect_from_forgery
plug :put_secure_browser_headers
end
pipeline :api do
plug :accepts, ["json"]
end
Why is :put_secure_browser_headers
only relevant for server-side rendered apps? Because the headers only protect the actual use of HTML in the response?
Secondly, many SPA prefer to store the user token in a cookie nowadays to prevent XSS attacks. But doing so they then need to protect themselves against CSRF attacks. Made me wonder if anyone has experience in including CSRF tokens for SPA and if I can somehow reuse the :protect_from_forgery
plug for that case as well.