CSRF Prevention

Hi all,

I recognise that the Dash team removed CSRF protection via a token due to the logic that POST requests don’t require this in JSON based applications:

Reading around (e.g https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet) it is suggested that CSRF can be prevented if a pre-flight request is forced by application/json made to the server in order to check the permitted content types and the origin. If the origin is different then the payload is rejected.

Is this what Dash is doing to prevent CSRF? It is hard to pin point this in the code.

Another useful resource on preflight requests suggesting that the browser forces this to the Dash server.