I am soliciting advice on correctly implementing nonces for ajax powered forms.
The forms are written in plain html.
The way, I have currently implemented is - the default form submit is intercepted through javascript and before processing the form, a get call is made to get a nonce token in JSON, the resulting nonce data is appended to the form data and is sent to the server for further processing via POST (XHR).
For security reasons, I have limited the scope of the nonce to 300 seconds. And the url that generates nonce values check for http referer to ensure that requests are made from the site. However, this may be futile due to the reasons mentioned in Referer header: privacy and security concerns (MDN)
Thank you.