Angular 6 does not add X-XSRF-TOKEN header to http request
The problem once again is Angular's poor documentation.
The fact is, Angular will add the X-XSRF-TOKEN
header only if the XSRF-TOKEN
cookie was generated server-side with the following options:
- Path =
/
- httpOnly =
false
(this is very important, and fully undocumented)
Besides, the Angular app and the URL being called must reside on the same server.
Refer this Angular Github issue
On my team, the problem was that we were using an absolute path instead of a relative path.
So do not use an absolute path like:
this.http.post<any>("https://example.com/api/endpoint",data)
Use
this.http.post<any>("api/endpoint",data)
Or use
this.http.post<any>("//example.com/api/endpoint",data)
This is because absolute paths are explicitly ignored by Angular code on HttpClientXsrfModule (see)