Only Accept CSRF Tokens in headers or POST bodies

Previously `check_csrf_token` would allow passing in a CSRF token in through a
the URL of a request. However this is a security issue because a CSRF token
must not be allowed to leak, and URLs regularly get copy/pasted or otherwise
end up leaking to the outside world.

0 files changed, 0 insertions, 0 deletions