Unfortunately, the csurf package, which is used in some sections of this course, is no longer maintained at this time. The development team recently deprecated this popular package, saying that it should no longer be used (https://github.com/expressjs/csurf#deprecated).

The purpose of the corresponding course lectures is to explain the general principle of CSRF attacks. You can still safely use the deprecated package for learning purposes, since attacks are only simulated locally in our code.

However, in practice you should now choose a different package (https://www.npmjs.com/search?q=express%20csrf). You may, for example, consider using this package (which has a different API than csurf()): https://www.npmjs.com/package/csrf-csrf.

Please understand that support in this course currently still focuses on the csurf API, as shown in the course videos and code snapshots.

And most importantly, the general principle explained in this course is package independent.