Sensitive information should never depend on the client-side ¹ because Javascript encryption is useless .
The transparency offered by today's browsers makes all your code and information readable and changeable in just a few clicks. This does not mean that older browsers made the web more secure. On the contrary, in the past, it was easier for a developer to believe that their application was safe when using any kind of complication such as JavaScript encryption, compiled application (Flex / Actionscript), etc.
CSRF tokens can help you prevent someone from forging a call to your server from another source (cURL, CORS, etc.), but will not guarantee that the remaining information being passed will be as good as expected.
You can use a combination of CSRF with SSL / TLS to encrypt the connection between the client and the server, avoid possible tampering with the javascript files, and ensure that the response came from your application, but it does not justify relying on the client- side to provide sensitive information.
Update
Responding to the comment, any security mechanism you can think of using Javascript in browsers has been thought of before, it's not a clutter, but rather the mechanics like Javascript works in the browser. Even if you create a public key by the server for the client to use this key and you guarantee that the information was encrypted using a valid key, the end user still has the information before and then to encrypt it. The same ease of forging data that does not represent reality with and without such a mechanism is the same, as the client will only tamper with the information before it is encrypted.
If you are depending on your client's secure information, you need to rethink your application.
- What action does the customer perform that guarantees you the right points?
- Who has a financial obligation to create this score?
- Are there multiple actions, each with a different punctuation value?
- Can the same action result in different scores?
- Is a person able to acquire points while offline and synchronize when online ?
Each question you can think of about your model can better specify where your problem lies. If your customer earns points offline, you need to think of coupon forms, such that a coupon has a generated code that makes it mathematically unlikely that someone will be able to "find" it randomly. If your customer earns points when making a purchase, it may be the institution's own responsibility to ensure the authenticity of the information. If a specific action is only able to generate a specific number of points, this score can be stored server-side.