CSRF token
Cloverleaf API enables the CSRF token to avoid cross-site request forgery attacks. It requests that each invocation that is not a GET API invocation needs to have CSRF TOKEN in the header.
The CSRF token value is returned with JSON format by the response.
Users must invoke a new /api/security/csrf API with the session ID. This is saved in a cookie after log-in, to get the CSRF TOKEN for that session. This returns {"csrf" : "csrf_token_value"}.
The CSRF token cookie is http-only. This indicates that Javascript cannot read the cookie.
CLAPI does not save the CSRF token into a cookie; instead, it provides an API to get the CSRF token.
The client calls the new API to get the CSRF token, caches it in memory, and sends it as X-CSRF-TOKEN with the request.