If you are creating a form outside of Blesta to submit to Blesta you will not be able to generate a CSRF token and should disable CSRF for the whois page. At https://docs.blesta.com/display/user/Configuration+Files#ConfigurationFiles-Encryption see Blesta.csrf_bypass the example to bypass CSRF checks for the domain search is:
Configure::set("Blesta.csrf_bypass", ['config::preconfig']);