CSRF protection causing form submission failures

Form submissions return 403 Forbidden. AJAX POST/PUT/DELETE requests fail with CSRF token missing or invalid. The token is present in the form but still rejected.

(1) Ensure CSRF token is included in the request — form: hidden input field; AJAX: X-CSRF-Token header or request body. (2) Token rotation: after login, the token changes — re-fetch it. (3) SPA gotcha: if the page is cached or loaded from a service worker, the token may be stale. (4) SameSite cookie issues: CSRF cookies need SameSite=Lax or None (with Secure). (5) Multi-tab: some frameworks invalidate old tokens when a new one is issued. (6) Framework-specific: Django uses csrfmiddlewaretoken, Rails uses authenticity_token, Express/csurf uses _csrf.

CSRF tokens are single-use or session-bound secrets that prove the request originated from your site. Token mismatches mean the server cannot verify the request's origin.