* fix: relax csrf to exclude path based apps * add unit test to verify path based apps are not CSRF blocked