Laravel(backend) and VueJS(frontend created with Vue CLI) are separated, hence have different domains and repositories. I am wondering what is the best way to pass a CSRF token from Laravel to VueJS safely.
I've found some old questions here and on Laracasts but they are either irrelevant, outdated or have no answer. Here are a few:
Pass csrf token from Laravel to Vue
Creating a sign up token for Laravel app from separate frontend app
(Laracasts forum) CSRF in separate angular app
I am aware that Laravel ships with $except array in VerifyCSRFToken middleware. Adding frontend's URL to this list will create a security flaw, am I correct?
In case of using a standalone application (vue, react, angular ....) the best solution is to use Laravel Passport instead of using CSRF tokens.