[keycloak-user] CSRF token in user management pages

Dear All, According to the page here <https://www.keycloak.org/docs/2.5/server_admin/topics/threat/csrf.html> the only part of Keycloak that really falls into CSRF is the user account management pages. It mentions that in order to protect from CSRF, keycloak uses a state cookie. I imagine that the user account management pages are the ones under the url = http://localhost:8180/auth/realms/demo/account/, is this correct? If yes, the cookies i can see available in this page are an AUTH_SESSION_ID cookie and a KC_RESTART. I do not see a "stateChecker" value. I can see these files are related to csrf checking in the code of keycloak server * services/src/main/java/org/keycloak/services/resources/WelcomeResource.java * adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakCsrfRequestMatcher.java * services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java Can someone who has knowledge over this verify that the user account management pages is referring to the url provided above and if not expand on which pages are csrf protected? Also please verify that indeed the 3 files above are responsible for csrf chekcing Thank you