HP Fortify - CSRF issues

I ran HP Fortify on the Nextcloud source code. It reports possible CSRF (Cross Site Request Forgery) issues.

For example, apps/activity/js/settings.js , line 6.

$.post(OC.generateUrl(’/apps/activity/settings’, post, function(response) {
OC.msg.finishedSuccess(’#activity_notifications_msg’, response.data.message);
}

The Nextcloud documentation says that Nextcloud prevents CSRF.

“If you are using the App Framework, every controller method is automatically checked for CSRF unless you explicitly exclude it by setting the @NoCSRFRequired annotation before the controller method”

Can you give me more explanation?
https://docs.nextcloud.com/server/11/developer_manual/general/security.html
Thank you

Detecting CSRF issues is a bit hard for a software to do properly. Nextcloud does mandatory CSRF checks unless it’s turned off via controller annotation

Is there some way to test that Nextcloud is doing the CSRF check?
Is there some data I can put into Nextcloud and watch Nextcloud reject the data?

Is there some way to test that Nextcloud is doing the CSRF check?

Send a request without csrf token.

I plan to test it with ZAP - Zed Attack Proxy, a penetration testing tool.

Is there any easier way?

http://www2.hawaii.edu/~takebaya/cent285/csrf_zap/csrf_zap.html