Add XSRF protection for POST requests

Some Hydra API requests were vulnerable to XSRF attacks, e.g. you could have a form on another website using http://hydra/logout as the form action. So we now require POST requests to come from the same origin.

Reported by Hans-Christian Esperer.

Created by  Eelco Dolstra  on October 20, 2016
2P35LNRY3ZWGLARBNWLQEW2QPS3CTK4Z677ZZYFX4GLVNLUONYBAC
Change contents