Hi there! I'm trying to write an app that interacts with a site that uses Community Builder. I'm unable to POST any data to CB-managed forms via headless web clients or Postman, they come back with status 200 but an unauthorized error in the page source. POST through a normal web browser works fine.

I took a peek at the request data through a browser, and it looks like I'm missing the cbsecuritym3 token labelled as a spoof-check value. Including that would be difficult since it's rendered in Javascript and these web clients only offer the initial HTML response.

I turned off spoof checking in Community Builder settings and confirmed "enableSpoofCheck":"0" in _comprofiler_plugin DB table, but that token is still being sent on every POST through the browser.

Is there another way to disable it? Or does disabling still send the value without requiring it, in which case does anyone have thoughts on why else programmatic POSTs might come back unauthorized when programmatic GETs and browser POSTs succeed?

Thanks so much for any thoughts you have on this!