Default router pipelines include:
pipeline :browser do plug :accepts, ["html"] plug :fetch_session plug :fetch_flash plug :protect_from_forgery plug :put_secure_browser_headers end pipeline :api do plug :accepts, ["json"] end
:put_secure_browser_headers only relevant for server-side rendered apps? Because the headers only protect the actual use of HTML in the response?
Secondly, many SPA prefer to store the user token in a cookie nowadays to prevent XSS attacks. But doing so they then need to protect themselves against CSRF attacks. Made me wonder if anyone has experience in including CSRF tokens for SPA and if I can somehow reuse the
:protect_from_forgery plug for that case as well.