We have to include the CSRF token as part of every ajax post request in our application. We embedded the granite.csrf.standalone client libs and set the dispatcher rules also to allow url /libs/granite/csrf/token.json and CSRF-TOKEN header. We see that the CSRF token is getting added only when we login to CRX. If the CRX session is not created, the CSRF token is passed as undefined. Please let me know in case I am missing anything here.