I have the following code in my frontend javascript which basically reads the csrf cookie value and sets that in the ajax calls done via jquery.
var csrftoken = self.getCookie('csrftoken');
xhr.setRequestHeader("X-CSRFToken", csrftoken);
This seems to be a very standard technique and yet Veracode reports it as a vulnerability.
Looking at the details of this kind of vulnerability, at https://cwe.mitre.org/data/definitions/113.html, I don't see how could it be an issue given the http header is being set from client end and not server end. If the csrf token value is injected wrongly, the request would not suceed due to csrf mismatch anyways.
Why does Veracode consider this to be a vulnerability at all or is it a vulnerability that I am unable to understand?