javascript - Disable CSRF for a specific route? (Lusca) -

i have instructure canvas running on ubuntu server. clicking on link tool provider calls post rejected lusca, causing 403.

i've tried implement meddleware make exception. clicking tool link causes server hang minute, followed 403. no information appears in console me diagnose further. thoughts?

---

relevant folders structure

>node_modules  >meddleware  >lusca  >server   routes.js   express.js  >config    config.json  >lti    lti.controller.js    index.js 

---

routes.js

  app.use('/lti', require('/lti')); 

express.js

   var ltimiddleware = require("express-ims-lti");    var meddleware = require('meddleware'),         mconfig = require('shush')('/config.json');     export default function(app) {       app.use(meddleware(mconfig));       app.use(ltimiddleware({         consumer_key: "key",         consumer_secret: "secret",       })); 

config.js

{   "middleware": {     "appsec": {       "module": {         "arguments": [           {             "xframe": "sameorigin",             "p3p": false,             "csp": false           }         ]       }     },     "csrf": {       "enabled": true,       "priority": 111,       "route": "./((?!lti))*",       "module": {         "name": "lusca",         "method": "csrf",         "arguments": [ {} ]       }     }    } } 

lti/index.js

'use strict';  var express = require('express'); var controller = require('./lti.controller.js');  var router = express.router();  router.post('/', controller.index);  module.exports = router; 

---

have excluded code/files try , keep brief , relevant.

thanks