or test with $csrfFetch
methodsToProtect: ['POST']
routeRules: { '/api/nocsrf': { csurf: false } }
/api/data
[ "some", "specific", "data" ]