Protects against CSRF attacks using a double-submit cookie.
Protects against CSRF attacks using a double-submit cookie. The cookie will be set on any GET
request which
doesn't have the token set in the header. For all other requests, the value of the token from the CSRF cookie must
match the value in the custom header (or request body, if checkFormBody
is true
).
Note that this scheme can be broken when not all subdomains are protected or not using HTTPS and secure cookies, and the token is placed in the request body (not in the header).
See the documentation for more details.