we are calling an API using servlet, Our AEM Instance in 6.5.5, we are successfully able to call the servlet and send the CRSF Token in the author instance. However, In the Publisher instance, we are getting an empty response from the /libs/granite/csrf/token.json, how can we validate or authenticate the POST request to get the CRSF token value in AEM Publisher.
CSRF protection is only available for authenticated user. So in author it will be passed while making any servlet call as you will be logged in.
But on Publish instance, if you are making any anonymous call, CSRF token will be empty as there will not be any authentication.
"The basic idea: Server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore/log it. Your CSRF token should ideally only be passed to the client upon authentication."
"There are no tokens on the publish instances for anonymous users."