API csrf security problem

As api should be used for cross-sites, the normal is not an appropriate choice for Apis. Therefore, for API which is only used by our web app, we need to configure the server to use same-origin policy which can help the server prevent csrf problem.