I have a site built with Bolt (http://bolt.cm) that runs on the main domain (let's call this www.domain.tld). I'd like to create a Laravel app that I can install on a subdomain (let's call this formengine.domain.tld). This app would be used to process forms from the main site, and send emails.
Problem is, how do I go about making that secure? As the two apps are different, how would I get a CSRF token on the main site?
At the moment, I know I'll be using a referrer check so that people don't just send forms as and when they please from another site, or perhaps manually through the API. I may even add a X-FormPassword parameter, where the password is randomly generated by Bolt according to a specific set of patterns and rules, sent to the Laravel app and decoded. If correct, it would allow the form to be sent.
But, this is all I can think of for now. If I can't use a CSRF token, is there a better method?
Thanks,
Mike
Right, so CORS seems to be the answer. I can add further protection if I want, but I think this is the way to go.