From c2d5935394af6536ba7b8980271dac002469ecc1 Mon Sep 17 00:00:00 2001
From: Usman Baig <mubaig@pm.me>
Date: Wed, 11 Mar 2026 21:54:24 +0100
Subject: [PATCH] security: send X-CSRF-Token on all state-changing API
 requests (F-01)

---
 lib/api/client.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/api/client.ts b/lib/api/client.ts
index 13bd1cb..9b82f2b 100644
--- a/lib/api/client.ts
+++ b/lib/api/client.ts
@@ -202,9 +202,9 @@ async function apiRequest<T>(
   // * We rely on HttpOnly cookies, so no manual Authorization header injection.
   // * We MUST set credentials: 'include' for the browser to send cookies cross-origin (or same-site).
   
-  // * Add CSRF token for state-changing requests to Auth API
-  // * Auth API uses Double Submit Cookie pattern for CSRF protection
-  if (isAuthRequest && isStateChangingMethod(method)) {
+  // * Add CSRF token for all state-changing requests (Pulse API and Auth API).
+  // * Both backends enforce the double-submit cookie pattern server-side.
+  if (isStateChangingMethod(method)) {
     const csrfToken = getCSRFToken()
     if (csrfToken) {
       headers['X-CSRF-Token'] = csrfToken