Currently working on an internal application, basically a static web site (HTML and Angular on AWS S3 with API Gateway and Lambda in the backend) and using Cognito's JWT's initially, though this site will be internal only they will still need to meet strict XSS and XSRF rules.
Been trying to work out how the XSRF would be handled as there will be no state server to track the values needed to be issued with the pages and cookies? plus the static pages would not be able to have a unique token created without making an API call in the first place.
Sorry, been a while since I've been this close to the development side and the current developers are on a steep learning curve. any advice would be greatly appreciated.