We have a session based api. The company is using laravel to get the api, then send it back to angular 6, the sole reason they are using laravel instead of consuming the data directly is just to protect against csrf.
Is it possible to protect against csrf without using a server side backend? would angular interceptors do the job? there's no tokens, it's x-session.
You can never trust anything that happens in the browser. You always have to assume that the user has complete control over the browser and can extract, delete & modify data at will.
Any data manipulations or security-sensitive operations need to happen on hardware you control.