In forms with method “POST”, set a hidden field with name “_csrf”:
Angularjs read cookie ‘XSRF-TOKEN’ and send it back in header. Extra works are needed for jQuery.
Note: Why setRequestHeader for jQuery
In most cases, setting _csrf in data field when post via ajax is enough. The problem surfaces when uploading files with “multipart/form-data”. If multiparty is used to handling file uploading, csrf checking happens before form processing which fails every time, because bodyparser ignore multipart form.