Handler that generates and validates a CSRF token.
An attacker can coerce a victims browser to make the following types of requests:
GET requests
POST requests with a "Content-Type" of "application/x-www-form-urlencoded", "multipart/form-data", and "text/plain".
An attacker can not:
Coerce the browser to use other request methods such as PUT and DELETE.
Coerce the browser to post other content types, such as "application/json".
Coerce the browser to send new cookies, other than those that the server has already set.
Coerce the browser to set arbitrary headers, other than the normal headers the browser adds to requests.
Since GET requests are not meant to be mutative, there is no danger to an application that follows this
best practice.
Rules:
Permit POST if the "Content-Type" is not a guarded type (see above).
Permit POST if the "Csrf-Token" header is "nocheck".
Permit POST if the "_csrf_token" query parameter or form field matches the session csrf token.