CSRF issue has been reported for AJAX requests, The CSRF Token is validated if sent from FORM as hidden element as well as from Request Header for the Ajax request.
The response header sent for the invalid CSRF token is HTTP 400 status code, but still Qualys is reporting the CSRF Issue.
The Response from Qualys Scan report is below :
comment: The form re-submission with different set of cookies is successful. This may imply that the form does not contain any CSRF countermeasures.
Not sure why this response, even though we have anit-CSRF token and it's validation.