I am developing an External tool that will be used by our Moodle platform.
I found that Moodle sends a POST with a Cross-Site Request Forgery (CSRF) token attached. However, the External tool site is also checking for CSRF tokens it generates, so it fails to recognize the token sent by Moodle.
I have not found any good information regarding this topic. I am not sure if should be checking this token or not in my External tool, as it was generated by Moodle and not my External tool site.
Any information about the best practice on this topic this will be greatly appreciated.