Nice Article. But this is not CSRF. It’s true that the tokens are not validated on the server side rather on the client side. This type of validation is known as Double-submit cookies and is not vulnerable. This is how double-submit cookies function. Thanks.