We prevent against CSRF by using custom headers (as long as the user has correctly restricted the CORS’ Allowed origins). If however, that restriction is not possible, then we do provide an anti CSRF token which is added to the request header for each request