To enable CSRF protection, a web application sends a GET request to the nonce resource. The core service returns a Set-Cookie header that causes the browser to store the nonce in the DasToken cookie.
Subsequent requests to any DAS service will fail unless the DasToken cookie exactly matches the X-DAS-Token header. This prevents scripts from other sites from forging requests on the authenticated user's behalf. Therefore, your web application should get the DasToken cookie value and set it to X-DAS-Token header for all subsequent requests.
NOTE: The nonce resource is most useful for web applications running in a browser. For example, there is no need to use the nonce resource from a native mobile application.