CSRF Protection, does it only validate CSRF token on POST requests? If so how does it protect attacker from GET requests?

I am unable to make usingHeaders to work. In the example it shows Cookies authorization but nothing with headers.

What header name is it looking for when authentication a session?

This implementation only protects non-GET requests, as stated in the readme: "assumes that GET requests are non-mutating (have no side effects)". If GETs have no side effects, you are safe wrt CSRF (the attacker cannot get the content anyway).

The default header names are here: https://github.com/softwaremill/akka-http-session/blob/master/core/src/main/resources/reference.conf, and can be customized using a .conf file. The default header name for setting auth is Set-Authorization (server->client), the default header name for getting auth is Authorization.

Can you post a code snippet that doesn't work (with headers)?

I was using Postman extension on Chrome to test things out. I haven't tried the Authorization and Refresh-Token when submitting. I will try that out and see how it goes. I'll close the issue and if it doesn't work will come back with actual posts and re-open. Thank you!