CSRF Protection

Test #13

This form is protected by CSRF tokens. Your scraper must obtain a token before submitting the form.

Test Passing Criteria
How CSRF Protection Works

Cross-Site Request Forgery (CSRF) protection requires that every state-changing request includes a secret token that proves the request originated from this site.

To scrape this page, your bot must:

  1. GET /api/test/csrf/token to obtain a CSRF token (also sets an HttpOnly cookie)
  2. Include the token as an x-csrf-token header or _csrf body field in the POST request
  3. Maintain the sm_csrf_token cookie across requests (same session/cookie jar)
  4. POST /api/test/csrf/submit with the token to access the protected data

After a successful submission, the server rotates the token. The new token is returned in the response as newToken.

CSRF Token
This token must be included in your POST request as an x-csrf-token header or _csrf field in the JSON body.
Protected Form
Submit this form with the CSRF token to access protected data.