Thanks for clarifying why the cookie is needed and I get that we need the token for those methods you mentioned. But in the context of an API we're never using the token and end up sending unnecessary bytes down the wire on every request. That's why I would like to remove it. Just for API requests.

Even with $except = ['*'], it still adds the token to the headers for GET requests. I'd expect it to disable all CSRF related stuff for the given uri, including the setting of the Set-Cookie header.

Return to Thread...