Requests to not-existing urls return 400

[Sgoettschkes]

We are using flask-csrf for our Rest API which serves a single-page-application. This means almost all our routes are csrf-protected and the few which are not are handled using csrf_exempt.

We recently found that a non-existing route triggers an (incorrect) 400 response code instead of the expected 404 and were able to trace this issue back to the csrf handling. The problem lies in https://github.com/sjl/flask-csrf/blob/master/flaskext/csrf.py#L31

Is there any specific reason we are not aware off to have csrf-protection on routes not found by flask? From our point of view, it should be ok to not handle csrf here and simply return a 404!