While I support the flexibility of being able to disable XSRF protection on specific endpoints, I hope it comes with lots of visible warnings about the potential dangers of doing so. My logout case is relatively harmless, but other endpoints won’t be.