We're currently building out a Android cordova app which will need to send data back and forth from our php backend. We have CORS working, however we have a couple of security concerns to how best limit/protect the backend from CSRF.
We've currently implemented a one-time token system which is generated and saved per request, returned via json and then must be used in the next request.
The first token is only generated and returned when the user has confirmed their account via a SMS pin on app install.
Does anyone know of a better more secure way? We've implemented CORS previously but they always come from a specific or small number of origins.
Any help hugely appreciated.
Thanks,