Use with koa-router

[joegalley]

I'm not sure how koa-csrf intercepts HTTP requests - does it matter if I set my koa-router middleware before or after setting koa-csrf?

This is what I'm using now:

server.use(new CSRF({
    invalidSessionSecretMessage: 'Invalid session secret',
    invalidSessionSecretStatusCode: 403,
    invalidTokenMessage: 'Invalid CSRF token',
    invalidTokenStatusCode: 403,
    excludedMethods: ['GET', 'HEAD', 'OPTIONS'],
    disableQuery: false
}));

server.use(router.routes());

[stephenmathieson]

You should use koa-csrf before you define your routes. Generally speaking, global middleware should always be "first" in your stack.