PhoenixApiToolkit.Security.Plugs.ajax_csrf_protect

You're seeing just the function ajax_csrf_protect, go back to PhoenixApiToolkit.Security.Plugs module for more information.
Link to this function

ajax_csrf_protect(conn, arg2 \\ nil)

View Source

Specs

ajax_csrf_protect(Plug.Conn.t(), any()) :: Plug.Conn.t()

Protect AJAX-requests / API endpoints (ONLY those requests, not HTML forms!) against CSRF-attacks by requiring header x-csrf-token to be set to any value.

This defense relies on the same-origin policy (SOP) restriction that only JavaScript can be used to add a custom header, and only within its origin. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#use-of-custom-request-headers

Examples / doctests

# requests that don't (shouldn't) change server state pass through
iex> conn(:get, "/") |> ajax_csrf_protect() |> Map.get(:halted)
false

# state-changing requests with the header pass through
iex> conn(:post, "/") |> put_req_header("x-csrf-token", "anything") |> ajax_csrf_protect() |> Map.get(:halted)
false

# state-changing requests without the header are rejected
iex> conn(:post, "/") |> ajax_csrf_protect()
** (PhoenixApiToolkit.Security.AjaxCSRFError) missing 'x-csrf-token' header