for a form POST, a hidden input called _csrf_token is included in every form
for a socket connection, the app.js get the csrf_token from the html meta (which you found) and included in the connect params.
Then in the server side, phoenix extracts the token accordingly and compares it with the token stashed in the session to make sure they match before deeming the POST or the socket connect is coming from legit sources.