Auditing an app protected by a CSRF token with Stepper