javascript app preventing csrf
I am trying to implement measures against csrf in my client spa. I have the following question, since it is difficult for me to use the Signed Double-Submit Cookie. It is possible to implement a csrf preventive measure, where the client generates a random value that it stores in memory, generates a hash of that value,then this hash sends it to an enpoint in the api server that returns a csrf token, on the server, that value is saved in the session. Subsequently the client sends the random value initially saved in memory to an endpoint where a state change occurs, and the server generates the hash with this value and compares it with the hash stored in the session, checking if it is not a csrf, since you must be exactly the same... Is this a good measure? It is similar to how pkce works with oauth
