My ajax request:
//..............
var xhr = new XMLHttpRequest();
xhr.open("POST", url, true);
xhr.setRequestHeader("Content-type", "application/json;charset=UTF-8");
xhr.setRequestHeader("x-csrf-token", document.querySelector("meta[name=csrf]").content);
xhr.send(JSON.stringify(data));
On a page there’s a csrf token generated by Phoenix.
<meta name="csrf" content="<%= Plug.CSRFProtection.get_csrf_token() %>" />
It’s sent on a server along with each ajax request I can see in Chrome. But my server always returns:
"403: invalid CSRF (Cross Site Request Forgery) token, make sure all requests include a valid '_csrf_token' param or 'x-csrf-token' header"
Why? How to fix this?