I cannot think of any downfall in this case. But I prefer to put in in the head as meta tag.
Yea, I have a meta tag in the master view for my apps so the csrfToken is always available. Most of my app a using ajax calls, so my JS yanks the meta value into a top level property in my app js module that can be accessed anywhere in my code.
I don't really see a down fall to having it in there. It changes every reload so I don't think there is a major security concern with it. Who knows though, maybe there is, but for now I think it's fine.
This is whats in the head of my master template:
<meta name="csrf_token" content="{{ csrf_token() }}">
so on your ajax calls you just define
data: { csrf_token: $('[name="csrf_token"]').attr('content') }
I just posted a question to Stack Overflow (http://stackoverflow.com/q/41596534/96233) about adding a
<script>
var csrfToken = {{ tokenValue }}
</script>
in a Go server. I can't think of any security issues with this, but I am not a security expert.
Sign in to participate in this thread!
Laravel
Laravel News
Laracasts
Laravel Podcast