Protect against XSFR attacks

[laeti-tia]

Our current forms, i.e. configuration changes forms, are not well protected against XSFR attacks. We should use one-time tokens or other functionalities to make sure POST request are originating from real users.

From GN4-SA2T1 report 2.2.21.

[apertome]

This is certainly not a bad idea, but since the forms are all auth-protected, the risk is minimal here.

[apertome]

I can't see the actual report, but I believe this request requires reviewing ALL portions of the admin interface and updating each form/webservice -- as well as figuring out what sort of anti-XSFR mechanism to use.