Using an csrf token would probably work in the frontend. As long as it is properly invalidated after a request.
But additional care is needed when the frontend allows for a retry with a new csrf token as this request would still result in a valid response but without any write being performed (because Apollo would remember the idempotency token, but not the changed csrf token).
Using an csrf token would probably work in the frontend. As long as it is properly invalidated after a request. But additional care is needed when the frontend allows for a retry with a new csrf token as this request would still result in a valid response but without any write being performed (because Apollo would remember the idempotency token, but not the changed csrf token).