my goal is to implement CSRF Token. But I am confused on how I should generate the CSRF Token.
CMIIW:
- I am assuming that malicious website can't get access to the target-domain.com's cookie. The malicious website only can send a request like
target-domain.com/delete-user, which will also send the target-domain.com's cookie. Note: The malicious website do not know the CSRF Token value.
If my assumption is correct, then it is safe to create an end point which is /csrfToken which will return a csrfToken cookie.
And since target-domain.com can call the getCookie('csrfToken') function, target-domain.com can send request to target-domain.com/delete-user with body csrfToken.