This is a deviation from recommended patterns for connect-based middleware. When a middleware encounters an unrecoverable error, it should call next(err).

This is not the case below (index.js). Also the error message is misleading in this case because the configuration is valid:

throw new Error('misconfigured csrf')

Also this does not filter page and xhr requests versus resources. The end result is that resources like styles and images cannot be served to build a friendly nice looking error page.