A dead simple CSRF middleware for Express (4.x): uses a single, per-session token with no unnecessary magic and/or tricks.
$ npm install simple-csrf
Add after you have a session implementation:
var csrf = ;app;app;
Validation is performed on requests that are not of type
OPTIONS. The token is retrieved from either
_csrf_token in the request body parameters or the
X-CSRF-Token request header.
The CSRF token is available as
csrfToken on both the request object, and the renderer view locals.
MIT. See LICENSE.md.