or test with $csrfFetch
methodsToProtect: ['POST']
routeRules: { '/api/nocsrf': { csurf: false } }
/api/data