Add APICSRFProtection middleware that requires X-Requested-With header
on all state-changing (non-GET/HEAD/OPTIONS) API requests. This prevents
CSRF attacks since browsers won't send custom headers in cross-origin
simple requests (form posts, navigations).
Changes:
- Add APICSRFProtection() middleware in internal/middleware/middleware.go
- Apply middleware to /api/v1 route group in routes.go
- Add X-Requested-With to CORS allowed headers
- Add unit tests for the middleware (csrf_test.go)
- Add integration tests for CSRF rejection/allowance (api_test.go)
- Update existing API tests to include the required header
