Considering the following code:
... app.use express.csrf() ... app.use express.methodOverride()
GET / HTTP/1.1 [..] _method=POST
Update 06/04: Douglas W. pointed out that it's probably a good idea to move to method-override version 2+ (https://www.npmjs.org/package/method-override#readme). The documentation has been updated with a reference to this issue.