It is becoming a common practice to only have an API on your web server and not generate the page's HTML on the server but through JavaScript in a user's browser.

However, it is also common for developers to still use standard sessions and logins when the API is only there to serve their own website at first. This can lead to issues regarding security. Whenever you create a form to be displayed in Symfony via Twig, it contains a CSRF token. This token is here to help us ensure that not only is the request coming from this user's browser (cookies do that) but also from your actual webpage and not a malicious tab in the user's browser.

With an API, your forms are going to be generated entirely in the frontend. So, they cannot include a CSRF token. Furthermore, whenever an attacker submits a request to our server through a user's browser, all the cookies will be sent together, allowing the attacker to control the user's account. However, because of the same origin...