curl 'https://(ory-domain.com)/self-service/login/flows?id=75f0eb1e-2397-4c13-9094-9039e0d150ee' \
  -H 'accept: application/json, text/plain, */*' \
  -H 'accept-language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'cache-control: no-cache' \
  -H 'cookie: csrf_token_575524b945bb63e848e2a886d605a52326c2c9ff558924b35122ae001f538c60=3/mTe3T3tpsjyX4upedaYTHXDa1j3C6Ol1ONhGVG5tE=; ory_oauth2_login_csrf_recursinggangulya49gtn3zqc_dev_896642438=MTczMDExMTQ2Mnx3MS1ucDlEaWJiMWFya3VSbHVmaC1BUm0tN3NNQjdVOFVyVktlcjMxNFZ3M0pyNmkzQUFSczBZV2F1Z0xtdHVMYnM3N29PNERhcEVPdWFYZnhfVWU1M0VTY0VRQm93WkY1V2tpUFlsZUkzdEU5RUdERnFKamlpQTB0Rk9vfD066omYX9p6-OfZ7B8_G4pLbbdf33onDjumxvDMW6Bx; _cfuvid=YMEF_snIUeeIlAsKDcKgujhIVHf72BoUx7Egc8Uufls-1730111464491-0.0.1.1-604800000; _ga_198NPKWM95=GS1.1.1730110242.3.0.1730111467.0.0.0' \
  -H 'origin: https://(sub.domain.com)' \
  -H 'pragma: no-cache' \
  -H 'priority: u=1, i' \
  -H 'referer: https://(sub.domain.com) \
  -H 'sec-ch-ua: "Chromium";v="130", "Brave";v="130", "Not?A_Brand";v="99"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: same-site' \
  -H 'sec-gpc: 1' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36'

403

{
  "error": {
    "id": "security_csrf_violation",
    "code": 403,
    "status": "Forbidden",
    "request": "d67cd273-b7b6-9e61-a7a2-68d6645b998b",
    "reason": "Please retry the flow and optionally clear your cookies. The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues.",
    "details": {
      "docs": "<https://www.ory.sh/kratos/docs/debug/csrf>",
      "hint": "The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).",
      "reject_reason": "The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."
    },
    "message": "the request was rejected to protect you from Cross-Site-Request-Forgery"
  }
}