1👍
✅
Found the answer here. The csrftoken is not supposed to be in the request headers for GET. Instead,
fetch('/api/workflows', { credentials: 'include' })...
which includes cookies, as described in the Fetch docs.
X-CSRFToken must still be set for PUT, PATCH and DELETE requests
Source:stackexchange.com