CSRF protection mechanisms

[franklindyer]

The site needs some defense mechanisms against CSRF. These include:

• [x] CSRF tokens linked to users' individual session cookies attached to all sensitive forms.
• [x] Referer-based blocking of malicious POST requests.
• [x] Configuration of content security policy.
• [x] Logging out should close all active sessions rather than just the one currently in use.
• [x] Require the user's current password before changing their email from the account page.
• [x] Use Same-Site: Strict for session cookies

[franklindyer]

Update: I've decided not to use Referer-based validation at all, due to the possibility of excluding legitimate users whose Referer headers are suppressed for some reason.

[franklindyer]

Update: though including a strict CSP is probably not a bad idea overall, I don't think it is actually necessary for remediating this particular issue.