Learn how to work with CakePHP 3 CSRF Component. If you want to protect your CakePHP 3 application, this is exactly what you need. Using Cross Site Request Forgery, an attacker can send data to your application from other domains.
In this video tutorial, you will learn how to work with the CSRF Component in CakePHP 3. I will teach you how to enable the CSRF component in your application, I will explain you the magic how it works behind the scene, and you will learn how to work with AJAX and CSRF, by sending X-CSRF-Token header in your AJAX requests.
I have been working as a php programmer for over 10 years, last 3 years on cakephp 3.x - 3.8.x I think you may also try read CSRF from hide input field .. for example: xhr.setRequestHeader('X-CSRF-Token', $('[name="_csrfToken"]').val());