Default plugs for `:api` (SPA)


Default router pipelines include:

pipeline :browser do
  plug :accepts, ["html"]
  plug :fetch_session
  plug :fetch_flash
  plug :protect_from_forgery
  plug :put_secure_browser_headers

pipeline :api do
  plug :accepts, ["json"]

Why is :put_secure_browser_headers only relevant for server-side rendered apps? Because the headers only protect the actual use of HTML in the response?

Secondly, many SPA prefer to store the user token in a cookie nowadays to prevent XSS attacks. But doing so they then need to protect themselves against CSRF attacks. Made me wonder if anyone has experience in including CSRF tokens for SPA and if I can somehow reuse the :protect_from_forgery plug for that case as well.