Is it imperative that CSRF tokens be injected into the initial HTML payload?

Shopify Partner
18 1 7

In the app requirements checklist I see "You must build a secure app that is protected against cross-site request forgery (CSRF) attacks, cross-site scripting (XSS) attacks and other security vulnerabilities."


Our app is fully compliant. While our app is a single-page React app, we server-side render the initial HTML payload, and during this initial render our server injects a CSRF token into the HTML template for the client side to use during runtime with POST requests to our API.


We're hosting our app on a cloud server now, and we'd like to convert our app to be 100% static meaning it would be hosted via CDN (S3 + Cloudfront) without a server.


We're wondering if it would be acceptable, per Shopify's requirements, that we use an alternative measure to provide CSRF protection (as well as XSS protection). With this change, our goal is to provide a fully CSRF protected app with the difference being that a CSRF token is not injected via server-side templating into the HTML, and the token is instead retrieved via other means (we are still researching methodologies).


So, would it work if the CSRF token is not included in the initial HTML payload, or is including this token in that initial payload imperative?

New Member
1 0 0


Shopify Partner
951 80 203

@Sachin1337 not sure how much of a "leet" hacker you are, as I've received three consecutive PM's from you with a single character in the text. Don't know if that consists of total pwnage