The problem once again is Angular’s poor documentation.
The fact is, Angular will add the X-XSRF-TOKEN
header only if the XSRF-TOKEN
cookie was generated server-side with the following options:
- Path =
/
- httpOnly =
false
(this is very important, and fully undocumented)
Besides, the Angular app and the URL being called must reside on the same server.