titanism
commented
2 years ago For routes where you do not want to use CSRF, you can organize your routes using @koa/router and use router.use(new CSRF({ ... }); on certain ones you do, and for otherss just leave it out.
This ensure some requests like external server POST callback can work without requiring CSRF check.