csurf is deprecated

[BlackthornYugen]

csurf is deprecated and should be removed or replaced

See: https://www.npmjs.com/package/csurf https://github.com/expressjs/csurf#readme

We should either move to an alternative or re-consider if this is required at all. Maybe this is something express has out of the box now?

[rtritto]

Some evaluations: CSRF tokens in ExpressJS — Node.js web framework

[rtritto]

@BlackthornYugen maybe we can use some of:

• @fastify/csrf (source: Explaining the csurf vulnerability: CSRF attacks on all versions)
• csrf-csrf, csrf-sync, Next.js csrf (source: csurf express is out of date and deprecated)
• @fastify/csrf-protection, NextAuths implementation (source: Secure CSRF alternative to csurf)
• tiny-csrf, @dr.pogodin/csurf, csrf-csrf (source: What is the best alternative to the deprecated CSURF package?)

Guide to follow/read:

• OWASP Cheat Sheet
• Analysis and Remediation Guidance of CSRF Vulnerability in Csurf Express.js Middleware