Update README.md

[ghost]

I spent a good while trying to get CSRF protection working on my server, and it turned out that the reason it wasn't was because I had enabled body parser after lusca! Switching the order promptly fixed my issue.

[jasisk]

I think your point about registration order is a valid one. :+1:

We should, however, remove the line about body-parser as a requirement. csrf only protects routes that have a meaningful body (i.e., not GET, HEAD, or OPTIONS routes) so having some form of parser is implicit. Further, it doesn't have to be any one type of parser. For example, multipart works. Even a custom parser is totally fine. As long as the parsed body ultimately ends up on req.body, everything is a-ok.

That said, thanks for following up after you discovered the issue—wish more folks had that habit!

[aredridel]

I don't know that it's implicit -- there has to be something that populates the body, if the body is where the token is. lusca won't read it from the byte stream. This actually took us a bit to track down.