I'm planning a web app that is exposed primarily through a client application through an API. I've tried to make some requests from an iPhone client to the proof of concept application, but keep getting CSRF token errors. Is there a way of getting a token from app to then pass as a parameter in my POST request? I know I can turn off protect from forgery, but don't want to compromise security by doing this.
CSRF is an attack, that works on the web only. So if you want to use your app as an API only, you can turn it off without any security flaws.