This whole CSRF business is getting silly. The thing I hate is that the connect and express docs are horribly out of date (not to mention sparse to begin with).
In fact, they changed the CSRF token stuff, but they hadn't updated the docs, and now they're changing the CSRF stuff again, but the docs are still old. 😞
This is sort of a showstopper we'll have to resolve before 0.3.0 lands