What's the best practise when it comes to developing FE &BE regarding Laravel Sanctum / CSRF?
I built my app with Laravels CSRF token auth, as on the site (10.x) says that's recommended for SPAs.Works fine on local / dev, with postman and react as a frontend too.
However, just now I've deployed to DigitalOcean and now can't access my API from Postman on my machine.
Makes sense, Cross-Site request...but haven't found a good solution.
Setup is: domain.com/api -> confirmed to work after deployment .env: I added the localhost:3000 (react) "domain" to my .env, with my prod site url too.
CSRF token stuff works 100% in localhost environment (with both FE and BE running locally).
I looked up answers and most old posts (5y+) recommended I go with API token instead of CSRF. Isn't that less secure?
Another solution I found was to basically disable (protected $except = ['*'] and similar "solutions" - I see no point in these).
I'm pretty new and would like to use the most secure features (especially if they're built in), but now I'm pretty confused.
Ideal usecase would be that I can use my prod API as a BE for my dev FE aswell.
Obviously wouldn't be too happy rewriting stuff now, but better late than never.
Thank you all!