On the flux application we have enabled by default the anti-forgery token and we want to explore the option of turning it off to achieve the eligibility form pre-population. To populate the form we are asking Clients to POST Json to home page endpoint (which will would currently blocked due to the anti-forgery token). We would only be turning if off for this endpoint and leaving it enabled by default for the rest of the application.
Do you have any concerns with this?
Wanted views on what the removal of the anti-forgery token would mean in this architectural setup. i.e. because there are multiple layers to the infrastructure model, is the core application still secure? How would you classify the potential CSRF flaw that this token blocks against?