0👍
The action in the controller (example: ajaxRequest) that you need access by fetch or axios, could be unlocked, in the controller:
if you have generated the form with the cake helpers, the _CSRFTOKEN is in the form label or hidden input (sorry inspect the Form element in the browser), when you have localized the token, add this in the data of .$post().
public function beforeFilter(Event $event)
{
//this line is not necessary if you pass the _csrfToken
$this->getEventManager()->off($this->Csrf);
$this->Security->setConfig('unlockedActions', ['ajaxRequest']);
}
Source:stackexchange.com