This should be used by the clients capable of executing javascript to prevent XSS and CSRF attacks. Or use CSRF cookies (reachable by Javascript, httponly off). [See Angular Cross Site Request Forgery (XSRF) Protection](https://docs.angularjs.org/api/ng/service/$http#cross-site-request-forgery-xsrf-protection)
This should be used by the clients capable of executing javascript to prevent XSS and CSRF attacks.
Or use CSRF cookies (reachable by Javascript, httponly off). See Angular Cross Site Request Forgery (XSRF) Protection