System identifies the request using the JWT short live issued during the login. The XMLHttpRequest object sets a custom HTTP Authorization header in the request with JWT, with the header value being the Cross-site request forgery token; the server then verifies for the presence of such a header and the Cross-site request forgery token. This serves as a protection at endpoints used for XMLHttpRequest requests, since only XMLHttpRequest objects can set HTTP headers.