CSRF blocked all private routes

[Samjin]

Issue: In Router v2, CSRF validation has been moved earlier in the request lifecycle, which unintentionally blocks access to private routes that do not require CSRF protection. As a result, the current workaround is to disable CSRF protection entirely, which is not ideal for security.

For example, our internal devs accessing /playground are unable to update headers in the browser due to this restriction.

Proposed Solution: Introduce a configuration option to allow specific routes to be exempt from CSRF validation, maintaining backward compatibility and improving security

csrf:
  unsafe_disabled: false # Maintains backward compatibility
  exempt_routes:         # List of routes to bypass CSRF validation
    - "/buildinfo"
    - "/playground"