How to prevent CSRF in API-Centric Web Application

I am looking to build a web application using API-Centric architecture.

The frontend of the application would make requests to the REST API using AJAX.

How could I implement a robust CSRF prevention strategy for this application?

Solution

Some proposition: First You can use api-url like GET api/gime-csrf which return CSRF token as response and also set it in http-only cookie (so JS has no access to it - but remember to block TRACE request in server to prevent XST attack). Then when you make some "save state" request like POST/PUT/PATCH - you just put CSRF in some request header - and in server you compare header token value with cookie token value.

Django REST Framework Login
api platform - Unable to generate an IRI for the item
How can I make Laravel return a custom error for a JSON REST API
Spark Send DataFrame as body of HTTP Post request
Use $batch to bulk break SharePoint List items permission inheritance
GET request not supported in custom API in Business Central. "BadRequest_MethodNotAllowed"
Hyphen, underscore, or camelCase as word delimiter in URIs?
Should I use Singular or Plural name convention for REST resources?
RESTful resources: Plural vs. singular when a resource is always singular in the database
Which is better for Dynamic querying String Builder or string buffer?
Customize Global Exception Handler in java Spring Boot
Custom @ControllerAdvice in Spring for exception handling
How to handle MethodArgumentTypeMismatchException and set a custom error message in spring boot?
POST fails with invalid or missing data
How to make a get body travel method?
What does .+ mean in Path Variable?
Does Spring wait for each @PostConstruct to finish when loading ApplicationContext
Import "rest_framework" could not be resolved. But I have installed djangorestframework, I don't know what is going wrong
REST API design: one endpoint with if/else logic or two separate role based endpoints
My Component in React JS application don't read the Headers from REST-Api - Headers is Empty
{"the request was aborted: the connection was closed unexpectedly."}. I got this message when all api in for loop
HTTP Status Code for Resource not yet available
LinkedIn Rich Media Shares API error 'Not enough permissions to access media resource'
Why i can access dahsboard even when my login fail?
What’s the best RESTful method to return total number of items in an object?
Is it still possible to use the NASA Insights API for Mars weather?
JavaScript API Response - if clause for 'null' response
SQLSTATE=1H52/ SQLCODE=+462 with UPS API Tracking HTTPGETCLOBVERBOSE Request
User's password update via WordPress REST API
Is it ok to create entity in GET REST controller method with name getOrCreateIfNotExist?