I’m using PlayFramework 2.3  on a new project of mine. Because I want the project to be safe by default, I enabled CSRF (Cross Site Request Forgery) Protection globally  .
In this project, I’m doing a pass-through of some legacy pages using a custom proxy I’ve built. These pages don’t know the concept of CSRF-Tokens and therefor need to be excluded from CSRF checking.
Unfortunately the PlayFrameworks CSRF-Filter currently only allows to either disable CSRF Protection globally and only enable it on certain actions or enable it globally and disable it nowhere… that’s not really what I want..
To accomplish my goal, I had to create a little hack.. thanks to the decorator pattern  it is only a few lines of code. It consists of 3 easy steps.
1. Adjust your Global.scala file like this
2. Adjust your routes file. Actions that should be excluded from the CSRF Check need a comment #NOCSRF above them like this
3. This is it basically. If you need your page to have a CSRF Token available (because it e.g. contains a login form), annotate or wrap your actions accordingly