Let's enforce csrf on home, it seems the cookie is never sent to the client only on this view. /spend 1h