I recognise that the Dash team removed CSRF protection via a token due to the logic that POST requests don’t require this in JSON based applications:
Reading around (e.g https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet) it is suggested that CSRF can be prevented if a pre-flight request is forced by application/json made to the server in order to check the permitted content types and the origin. If the origin is different then the payload is rejected.
Is this what Dash is doing to prevent CSRF? It is hard to pin point this in the code.