I've got a luminus site which is giving 403 errors on one page which doesn't require a login, but it looks to me like everything is okay. The csrf is injected into the page during the GET request, and I can see the
__anti-forgery-token: ... in form params on the POST. Not sure what's missing.
Anyone have a clue?