* chore: fix csrf error message on empty session header A more detailed error message was added to catch mismatched session tokens. This error was mistakenly applying to all CSRF failures.
* fix: relax csrf to exclude path based apps * add unit test to verify path based apps are not CSRF blocked
