CSRF is meant to protect authenticated sessions. The basic idea is: the server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore / log it. Your CSRF token should ideally only be passed to the client upon authentication.
https://docs.adobe.com/content/help/en/experience-manager-65/developing/introduction/csrf-protection...
![aanchalsikka_0-1716288984894.png aanchalsikka_0-1716288984894.png](https://experienceleaguecommunities.adobe.com/t5/image/serverpage/image-id/74306iC5E198AAB4C12500/image-size/medium?v=v2&px=400)
However, you can make an AJAX request to the CSRF token endpoint (/libs/granite/csrf/token.json), and include the returned token in your servlet request as the “CSRF-Token” header. Please add below mentioned configurations in your dispatcher:
https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/configuring-dispatcher-to-...
Aanchal Sikka