Where does Phoenix pick up CSRF token?

I’m struggling to understand Plug. Plug.CSRFProtection — Plug v1.14.0 says

The token may be sent by the request either via the params with key “_csrf_token” or a header with name “x-csrf-token”.

But I don’t see CSRF token in my conn. Neither in params nor req_headers.

I only see get_csrf_token() in a <meta> in app.html.heex.

Where should I look to understand this?

csrf token is used in 2 places:

  • for a form POST, a hidden input called _csrf_token is included in every form
  • for a socket connection, the app.js get the csrf_token from the html meta (which you found) and included in the connect params.

Then in the server side, phoenix extracts the token accordingly and compares it with the token stashed in the session to make sure they match before deeming the POST or the socket connect is coming from legit sources.


And I couldn’t find it because I was looking into a normal GET HTTP request, thank you so much!