name: X-XSRF-TOKEN
in: header
required: true
schema:
  type: string
  pattern: "^[a-zA-Z0-9_-]{32,64}$"
description: |
  Anti-CSRF token. Must match the `XSRF-TOKEN` cookie.
  Required for all state-changing requests (POST/PUT/PATCH/DELETE).
example: "abc123def456ghi789jkl012mno345pqr"