csrf_token, caching

[sdarwin]

Until recently, there had been an basic, easy way to cache web pages in the CDN. It followed this logic:

• 90% or more of users will be anonymous, and not log in.
• those visitors don't have browser cookies. (or, very limited 'boost-version' which is the same for everyone).
• Voilà. CDN caching works fine.

Last month a commit apparently added csrf_token cookies to 100% of pages. /templates/includes/_header.html

commit adebb47258c4729817a017ca1607a2835e3634ef
Date:   Fri Sep 5 13:55:33 2025 -0700
    Added contributor email address claim validation (#1710) (#1866)

+      document.body.addEventListener('htmx:configRequest', function(event) {
+        event.detail.headers['X-CSRFToken'] = '{{ csrf_token }}';

It might be possible to selectively remove csrf_tokens on the CDN side, but only for particular pages and anonymous users.

But it's worth exploring the idea... does that token need to be added on all pages? Instead could it be included specifically where needed, and not elsewhere.