Merge pull request #2309 from overleaf/spd-nodevcsrf

Remove /dev/csrf route from production

GitOrigin-RevId: 4dc19fa6d33214f9a4cc57ee1293c215eb072c00

services/web/app/src/router.js

@@ -972,7 +972,9 @@ function initialize(webRouter, privateApiRouter, publicApiRouter) {
     res.send('web sharelatex is alive (api)')
   )
 
-  webRouter.get('/dev/csrf', (req, res) => res.send(res.locals.csrfToken))
+  if (['development', 'test'].includes(process.env.NODE_ENV)) {
+    webRouter.get('/dev/csrf', (req, res) => res.send(res.locals.csrfToken))
+  }
 
   publicApiRouter.get('/health_check', HealthCheckController.check)
   privateApiRouter.get('/health_check', HealthCheckController.check)