Currently working on an internal application, basically a static web site (HTML and Angular on AWS S3 with API Gateway and Lambda in the backend) and using Cognito’s JWT’s initially, though this site will be internal only they will still need to meet strict XSS and XSRF rules.
Been trying to work out how the XSRF would be handled as there will be no state server to track the values needed to be issued with the pages and cookies? plus the static pages would not be able to have a unique token created without making an API call in the first place.
Sorry, been a while since I’ve been this close to the development side and the current developers are on a steep learning curve. any advice would be greatly appreciated.
Thanks for your kind response mate, must admit had trawled though most of that a few times and certainly was leaning to double sumbit, but also they won’t be storing the JWT in a cookie any way, just a lot of mixed info out there about how secure that was if your protected against XSS, that it may still be insecure without CSRF. Knowing my clients they will want both, so will see what their PEN tests turn up I guess.
Better than the developers issuing CSRF page values and cookies from API calls which didn’t feel right at all. Thanks again, at least this has been good to brush up on my client side security again, been too long lol