I’m using Yii2 as a REST backend and Angular.js as frontend. Authentication works via cookie. CORS is enabled and restricted to the frontend domain. Now I want to enable CSRF to enhance security, but I do not know how to get this working without the “comfort” of Yii doing this automatically (normally you use Yii2 views). Response format is set to FORMAT_JSON, so I have no meta tags in my response where I can set this token. How can I make this work? Do I have to extend the response handler so that each response object contains the token? What do I have to consider?