If the token is visible in the page source (I.e. hidden input field) wouldn’t this defeat the purpose? The token can just be grabbed from the page source. Maybe I’m overthin
