pub const CSRF_COOKIE: &str = "assay_csrf";
Cookie name carrying the CSRF token. NOT HttpOnly — client JS reads this and echoes it in a request header (double-submit pattern).