API Error time, CSRF or requested by

While trying to insert an extractor via an API request I get:
Array ( [0] => HTTP/1.1 100 Continue [1] => HTTP/1.1 400 Bad Request Date: Thu, 16 May 2024 10:34:28 GMT X-Graylog-Node-ID: {AN ID} X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Runtime-Microseconds: 817 Content-Type: application/json Connection: close Content-Length: 122 {"type":"ApiError","message":"CSRF protection header is missing. Please add a \"X-Requested-By\" header to your request."} )

Which is already weird because I used code from a previous project, so I guess that broke to.

So in response to this I added the requested header, but that changes nothing. I also tried giving it the same value as the webinterface
curl_setopt($ch, CURLOPT_HEADER, array('X-Requested-By: XMLHttpRequest'));
no success either.

All initial research pointed me to this:
https://graylog2zh-cn.readthedocs.io/zh-cn/stable/pages/upgrade/graylog-2.5.html

But as stated I already added that header.

That’s the correct header but looks like you need to use CURLOPT_HTTPHEADER instead of CURLOPT_HEADER:

While named confusingly similar, CURLOPT_HTTPHEADER is used to set custom HTTP headers!