diff --git a/Router/Router.php b/Router/Router.php
index 01cf0a2e4..5b5c7b0fb 100644
--- a/Router/Router.php
+++ b/Router/Router.php
@@ -14,6 +14,10 @@ declare(strict_types=1);
 
 namespace phpOMS\Router;
 
+use phpOMS\Message\RequestAbstract;
+use phpOMS\Message\Http\Request;
+use phpOMS\Uri\Http;
+
 /**
  * Router class.
  *
@@ -95,18 +99,21 @@ final class Router
     /**
      * Route request.
      *
-     * @param string $request Request to route
-     * @param int    $verb    Route verb
+     * @param RequestAbstract $request Request to route
+     * @param int             $verb    Route verb
      *
      * @return array[]
      *
      * @since  1.0.0
      */
-    public function route(string $request, int $verb = RouteVerb::GET, string $app = null, int $orgId = null, $account = null) : array
+    public function route(RequestAbstract $request, int $verb = RouteVerb::GET, string $app = null, int $orgId = null, $account = null) : array
     {
         $bound = [];
+        $uri   = $request->getUri()->getRoute();
+        $csrf  = $request->getData('CSRF');
+
         foreach ($this->routes as $route => $destination) {
-            if (!((bool) \preg_match('~^' . $route . '$~', $request))) {
+            if (!((bool) \preg_match('~^' . $route . '$~', $uri))) {
                 continue;
             }
 
@@ -116,8 +123,8 @@ final class Router
                     || ($verb & $d['verb']) === $verb
                 ) {
                     // if csrf is required but not set
-                    if (isset($d['csrf']) && !$d['csrf']) {
-                        \array_merge($bound, $this->route('/' . $app . '/e403', $verb));
+                    if (isset($d['csrf']) && $csrf === null) {
+                        \array_merge($bound, $this->route(new Request(new Http('/' . $app . '/e403')), $verb));
 
                         continue;
                     }
@@ -127,7 +134,7 @@ final class Router
                         || (isset($d['permission'])
                             && !$account->hasPermission($d['permission']['type'], $orgId, $app, $d['permission']['module'], $d['permission']['state']))
                     ) {
-                        \array_merge($bound, $this->route('/' . $app . '/e403', $verb));
+                        \array_merge($bound, $this->route(new Request(new Http('/' . $app . '/e403')), $verb));
 
                         continue;
                     }
diff --git a/tests/Router/RouterTest.php b/tests/Router/RouterTest.php
index 8e29689ea..2bf109a40 100644
--- a/tests/Router/RouterTest.php
+++ b/tests/Router/RouterTest.php
@@ -38,7 +38,6 @@ class RouterTest extends \PHPUnit\Framework\TestCase
     {
         $router = new Router();
         self::assertEmpty($router->route(new Request(new Http('http://test.com'))));
-        self::assertEmpty($router->route('http://test.com'));
     }
 
     public function testGetSet() : void
@@ -49,33 +48,33 @@ class RouterTest extends \PHPUnit\Framework\TestCase
 
         self::assertEquals(
             [['dest' => '\Modules\Admin\Controller:viewSettingsGeneral']],
-            $router->route('http://test.com/backend/admin/settings/general/something?test')
+            $router->route(new Request(new Http('http://test.com/backend/admin/settings/general/something?test')))
         );
 
         self::assertNotEquals(
             [['dest' => '\Modules\Admin\Controller:viewSettingsGeneral']],
-            $router->route('http://test.com/backend/admin/settings/general/something?test', RouteVerb::PUT)
+            $router->route(new Request(new Http('http://test.com/backend/admin/settings/general/something?test')), RouteVerb::PUT)
         );
 
         self::assertNotEquals(
             [['dest' => '\Modules\Admin\Controller:viewSettingsGeneral']],
-            $router->route('http://test.com/backends/admin/settings/general/something?test')
+            $router->route(new Request(new Http('http://test.com/backends/admin/settings/general/something?test')))
         );
 
         $router->add('^.*/backends/admin/settings/general.*$', 'Controller:test', RouteVerb::GET | RouteVerb::SET);
         self::assertEquals(
             [['dest' => 'Controller:test']],
-            $router->route('http://test.com/backends/admin/settings/general/something?test', RouteVerb::ANY)
+            $router->route(new Request(new Http('http://test.com/backends/admin/settings/general/something?test')), RouteVerb::ANY)
         );
 
         self::assertEquals(
             [['dest' => 'Controller:test']],
-            $router->route('http://test.com/backends/admin/settings/general/something?test', RouteVerb::SET)
+            $router->route(new Request(new Http('http://test.com/backends/admin/settings/general/something?test')), RouteVerb::SET)
         );
 
         self::assertEquals(
             [['dest' => 'Controller:test']],
-            $router->route('http://test.com/backends/admin/settings/general/something?test', RouteVerb::GET)
+            $router->route(new Request(new Http('http://test.com/backends/admin/settings/general/something?test')), RouteVerb::GET)
         );
     }
 
@@ -101,7 +100,7 @@ class RouterTest extends \PHPUnit\Framework\TestCase
         self::assertEquals(
             [['dest' => '\Modules\Admin\Controller:viewSettingsGeneral']],
             $router->route(
-                'http://test.com/backend/admin/settings/general/something?test',
+                new Request(new Http('http://test.com/backend/admin/settings/general/something?test')),
                 RouteVerb::GET,
                 null,
                 null,
@@ -150,7 +149,7 @@ class RouterTest extends \PHPUnit\Framework\TestCase
         self::assertNotEquals(
             [['dest' => '\Modules\Admin\Controller:viewSettingsGeneral']],
             $router->route(
-                'http://test.com/backend/admin/settings/general/something?test',
+                new Request(new Http('http://test.com/backend/admin/settings/general/something?test')),
                 RouteVerb::GET,
                 null,
                 null,