I’m looking to build an API which will feed a website (and maybe mobile app). I wanted to use DRF for the backend API and then have a separate frontend (likely SPA like react). I’m new to Django so checking out guides/tutorials and most seem to either embed react into a template (not what I want to do as I want to do SSR easily) or have separate backend and use token auth and just save it in local storage (which i obviously can’t do).
What’s the usual way to authenticate a separate frontend from a django backend on different domains? Looking around I’ve seen discussion of using a HTTPOnly cookie etc but no definitive guidance which covers both CSRF and XSS etc. Any advice would be appreciated. Thanks.