Test CSRF
with $csrfFetch
or test
with useCsrfFetch
POST /test (without csrf header)
POST /test (with csrf header)