Don't check CSRF for manage and edit methods

src/http/api.go

@@ -262,19 +262,21 @@ func (a *api) handler() http.Handler {
 
 	mux.Handle("/", a.blogHandler())
 
+	noCacheMiddleware := addResponseHeadersMiddleware(map[string]string{
+		"Cache-Control": "no-store, max-age=0",
+		"Pragma":        "no-cache",
+		"Expires":       "0",
+	})
+
 	h := applyMiddlewares(
 		apiutil.MethodMux(map[string]http.Handler{
-			"GET": applyMiddlewares(
+			"GET":    applyMiddlewares(mux),
-				mux,
+			"MANAGE": applyMiddlewares(mux, noCacheMiddleware),
-			),
+			"EDIT":   applyMiddlewares(mux, noCacheMiddleware),
 			"*": applyMiddlewares(
 				mux,
 				a.checkCSRFMiddleware,
-				addResponseHeadersMiddleware(map[string]string{
+				noCacheMiddleware,
-					"Cache-Control": "no-store, max-age=0",
-					"Pragma":        "no-cache",
-					"Expires":       "0",
-				}),
 			),
 		}),
 		setLoggerMiddleware(a.params.Logger),