Support X-Csrf-Token header

[thekid]

For AJAX requests, it may be easier to send a header along instead of merging the CSRF token into the payload.

• https://en.wikipedia.org/wiki/Cross-site_request_forgery
• https://stackoverflow.com/questions/30149023/how-to-include-the-csrf-token-in-the-headers-in-dropzone-upload-request
• https://htmx.org/events/#htmx:configRequest