if the

apiDomain

and

websiteDomain

are the same, i'm not sure how it's possible for antiCsrf to be enabled.. are you sure there is no where else where this anti-csrf is being set to true?