I have an ASP.Net MVC Core app with SPA Prerendering (Angular) and JWT Bearer Authentication.
I'd like to be able to use antiforgery in my WebAPIs by using the ValidateAntiForgeryToken attribute.
Because I'm using SPA Prerendering, how should I be sending XSRF-TOKEN through? I'm not able to intercept using a ResultFilter.
Can I use OnPrepareResponse?
spa.UseSpaPrerendering(options =>
options.DefaultPageStaticFileOptions.OnPrepareResponse = (context) =>
However, I need to use a service to generate the token to be used in the header. It only has access to HttpContext. Examples I see for OnPrepareResponse involve setting headers using fixed values.
Also, do I still need XSRF protection if I'm using JWT Bearer Authentication?