How to prevent CSRF in API-Centric Web Application

I am looking to build a web application using API-Centric architecture.

The frontend of the application would make requests to the REST API using AJAX.

How could I implement a robust CSRF prevention strategy for this application?

Solution

Some proposition: First You can use api-url like GET api/gime-csrf which return CSRF token as response and also set it in http-only cookie (so JS has no access to it - but remember to block TRACE request in server to prevent XST attack). Then when you make some "save state" request like POST/PUT/PATCH - you just put CSRF in some request header - and in server you compare header token value with cookie token value.

C# .NET Implement DHL API Tracking
What Exception class type does Spring Boot throw when the user tries to access a REST endpoint whose path does not exist at the @RestController?
How to modify default spring boot not found url exception with custom message
Return string type from Spring Boot to Angular
TypeORM: update item and return it
REST collections, good practice to do: GET api/CollectionA/<collection id>/CollectionB?
what status code to throw when there is a concurrency error?
ERROR: insert or update on table "promos" violates foreign key constraint "fk_businesses_promos"
HTTP method names: upper or lower case?
Jersey message body reader not found in maven-built JAR
ConvertFrom-Json : Cannot convert the JSON string because a dictionary that was converted from the string contains the duplicated keys
Best practice to return errors in ASP.NET Web API
How to get progress of file upload in percentage
How to configure JSON deserialization options in .NET minimal API project
XML Serializer not creating attributes
CORS error while consuming calling REST API with React
How to upload Multiple Images to rest API in Flutter?
Customize laravel sanctum unauthorize response
Error 415 when trying to merge PDFs by stirlingpdf.io with python
Laravel Api Help, Im getting a Null result when using json data from Site A using Site B Controller
Is HTTP status 202 appropriate for account creation, while waiting for a confirmation code?
How to make a large file accessible to external APIs?
HTTP Response code for "Please wait a little bit"
Why is requests (or urllib3) continuing to throw Timeout Value errors even though i did not change them?
How does middleware work in chi routing in Go and what does http.Handler argument refers to in middleware?
Unhandled Exception: type 'Null' is not a subtype of type 'Map<String, dynamic>'
How set Response body in javax.ws.rs.core.Response
How do I filter data in a restful way using Spring?
Handling 404 Errors Gracefully with Spring's RestClient
Using EU VIES REST Service to check VAT Number