I'm trying to figure out if I completely understand CSRF security properly. Based on:
In all scenarios it seems like your frontend has to have the CSRF token somewhere so that when a request is sent to the backend, it can compare both the csrf token in the cookie/session to the request. That way when an attacker tries to create a request on behalf of a logged in user, since they don't have the token in the request, it won't be validated.
This means in order for CSRF implementation you need to configure both front and backend.
Now let's say I want all the CSRF security to be done on the backend is this possible, not changing frontend?
Also if my frontend application is separated from backend, do I still need to be worried about CSRF attacks?
CSRF is a collaboration between the frontend and backend. It's to validate that a request has come from an actual user on your site, instead of someone maliciously forcing a user to do something.. like having a form on another site that would submit a post request to a bank url to transfer money (the usual example), if that user is still logged into that bank it would just do the transfer without this CSRF check in place.
CSRF in a nutshell: You generate something random in the backend, set that in the user's session (which is serverside). And then when you generate a form you include this value as a hidden field.
When this form is submitted you compare it to the value stored in the session, that way you know this user actually submitted that form.