Hi David, Thank you for this article.
In our case our Spring app works like an API which responds to incoming REST calls, from a different Angular App, with JSON. For every call the basic authentication id/password needs to be passed. If the HTTP call does not have id/password, the call is rejected. In such a case can CSRF attack happen? Because even if browser session is hijacked, the malicious JS still needs to send the ID/password.
If still there is a possibility of CSRF attack, if I implement the solution of Cookie, are those cookies specific to a session. Does SessionID also needs to be send along with CSRF cookie from Spring to Angular during first call