Firstly, I'm digging this new design for Laravel.IO - it just gets the job done so well. :)
Right, so I have a site built with Bolt (http://bolt.cm) that runs on the main domain (let's call this www.domain.tld). I'd like to create a Laravel app that I can install on a subdomain (let's call this formengine.domain.tld). This app would be used to process forms from the main site, and send emails.
Problem is, how do I go about making that secure? As the two apps are different, how would I get a CSRF token on the main site?
At the moment, I know I'll be using a referrer check so that people don't just send forms as and when they please from another site, or perhaps manually through the API. I may even add a X-FormPassword parameter, where the password is randomly generated by Bolt according to a specific set of patterns and rules, sent to the Laravel app and decoded. If correct, it would allow the form to be sent.
But, this is all I can think of for now. If I can't use a CSRF token, is there a better method?
I guess you could make an internal request to the subdomain to retrieve a CSRF token and embed that into the form, but that would be pretty hacky. CORS would probably be the clean approach.
Sign in to participate in this thread!