in node csurf anti-csrf attacks, the front end first requests a token and then takes this koken for verification every time it sends a request, but a hacker can bring this token, when the page crawls the token, and then simulates the request on his own website. Does it not work if the csurf doesn"t throw away?