New setting: `enableAuthTokenRotator` which defaults to **false**, unlike previously which was **true**. This allows for rotation of keys for csrf tokens on login and logout if you are using cbauth via the new interceptor: `AuthRotator`. Make sure you turn this flag to **true** to keep the previous version functionality.

This basically disables csrf until you want it.

and I talked about this today.

I still think CRSF in REST API with JWT and no sessions/cookies involved probably don’t produce an attack vector - happy to be proven wrong or pointed to a case where/how it does. I wonder what the generate endpoint is specifically for though.

To clarify the feature request: cbSecurity’s cbcrsf should be active and running by default. But I should be able to disable it fully with a simple setting in the cbcsrf config, something like “enabled” : “false” etc.