Add csrf protection

package.json

@@ -43,6 +43,7 @@
     "compression": "^1.6.0",
     "connect-mongo": "~1.1.0",
     "cookie-parser": "^1.4.0",
+    "csurf": "^1.8.3",
     "debug": "^2.2.0",
     "dedent": "~0.6.0",
     "dotenv": "^2.0.0",

server/middleware.json

@@ -42,6 +42,7 @@
     "helmet#xssFilter": {},
     "helmet#noSniff": {},
     "helmet#frameguard": {},
+    "./middlewares/csurf": {},
     "./middlewares/constant-headers": {},
     "./middlewares/csp": {},
     "./middlewares/express-rx": {},

server/middlewares/csurf.js

@@ -0,0 +1,5 @@
+import csurf from 'csurf';
+
+export default function() {
+  return csurf({ cookie: true });
+}

server/middlewares/global-locals.js

@@ -2,6 +2,7 @@ export default function globalLocals() {
   return function(req, res, next) {
     // Make user object available in templates.
     res.locals.user = req.user;
+    res.locals._csrf = req.csrfToken();
     next();
   };
 }