- when the user is logged in, the front-end stores the CSRF token (e.g. in local storage)
- with every additional request, the CSRF token is send in the request header
- there is a notification shown to the user if a request was not successful due to the CSRF token validation
For the context of the attack, see the parent ticket. The back-end creates a CSRF token when a login request is peformed. The token is then needed for each further request in order to successfully perform it.