I really like the simplicity of this plugin, but I'm not sure the best way to use it while allowing for users to open instances of the site across multiple tabs, where cookies are shared but headers are not - is there a recommended approach to handling that? I could set the header value into a cookie, but that seems like it would be undermining the security pattern of the plugin.

Reading through some other sources about how to handle this situation, it seems like the most straightforward solution would be to save the header CSRF as a cookie alongside the cookie CSRF, and then send it back to the server in the header on each CSRF-protected request. A little awkward, but doable.

I would love to see an option for handling the header token this way, or, alternatively, letting the user of this module get the token directly and embed it wherever they like.

In my case, its simply because I'd rather not make a separate request to the server just to get the header (which I have to at the moment, since I can't get it from the original GET that returns my single page app.

https://github.com/electrode-io/electrode-csrf-jwt/tree/master/demo#solutions