My question is on paypals csrf stateless solution: https://github.com/krakenjs/jwt-csrf
This csrf solution obliges the user to put the token in the header. Is there a security reason why the token should be in the header?
If the requested data in the ajax request needed to redirect, how would I carry the headers onto the redirect (in express). This is somewhat related to: How do I redirect in expressjs while passing some context? and How to pass headers while doing res.redirect in express js . In this second post there is a comment 'as of 2017, setting headers before a redirect doesn't work in node'.
Could this mean Paypal's stateless csrf solution is not compatible with express?