Even with $except = ['*'], it still adds the token to the headers for GET requests. I'd expect it to disable all CSRF related stuff for the given uri, including the setting of the Set-Cookie header.

There is no way of knowing that the response from a get will be used or will not used for a form posting.

The $except is for excluding routes from csrf checks, not for determining if the token is sent.

Return to Thread...