I’ve been validating my CSRF tokens by comparing the session value and the request headers(CSRF included) instead of the token in POST. I found them unnecessary anymore so I decided to remove them anyway. I’ve been finding the function where the hidden fields are being generated so that I can override it.