however, you may not want to hard code the anti-csrf 'true' value there. As some APIs (when you have a website), would not require CSRF