The company I work for is building an application in which security is of the utmost importance. We're really hoping to use Angular as the client-side application, and we're exploring how best to create our back-end in ColdFusion (which we've used for a few years now).
I understand that only so much security can exist in the front-end of the app, and that the bulk of the work needs to happen on the server. But I'm really unsure about how to move forward in that regard. From what I've read, it sounds like we'll need some kind of Authentication Token to be created on login and stored on the backend. This token should come along with every http request, and the server can then decide on the validity of the request.
Does this sound about right? And if so, are there best practices for implementing it?
Any resources that might shed more light on the topic would be HUGELY appreciated.