I was reading [this](https://stackoverflow.com/a/42242802/2063755):
>browsers always send the Origin header in all POST, PUT, PATCH, and DELETE requests.
How much can we rely on this?
If it’s true that browsers send the Origin header for POST requests, then do we need to bother with anti-forgery tokens?
Or is it simply a matter of defence in depth?