@AnonymousAllowed REST endpoint returns 403

I have a Confluence plugin that includes xhtml-macro and rest modules. There is one endpoint which accepts POST requests. It is annotated with @AnonymousAllowed, yet when I attempt to access this endpoint from the macro’s JavaScript, I receive a 403 (Forbidden) error.

The full code for my plugin can be found here: https://github.com/zenahirsch/confluence-validator

I also tried making the request with basic authentication (using "admin" for the username and password, since this is a local install using atlas-run and those are the credentials I was given), but still received a 403.

The JavaScript:

    type: 'POST',
    url: '/confluence/rest/vimeo-validator/1.0/validate',
    headers: {
        "Authorization": "Basic " + btoa("admin:admin")
    success: function (data, status) {
        console.log('status: ', status);
        console.log('data: ', data);
    error: function () {
        console.error('there was an error with the req');

The request/response headers:

I must say I am confused.
What is the response body?
Install the REST browser plugin from marketplace and try posting from there.

The body is: XSRF check failed

Ah! I added the following header, and now it works:

"X-Atlassian-Token": "nocheck"