Review CSRF middleware and `Sec-Fetch-Site` header

[aldas]

Note to self: Hackernews had this blog post posted.

• https://blog.miguelgrinberg.com/post/csrf-protection-without-tokens-or-hidden-form-fields
• https://words.filippo.io/csrf/
• Use a modern approach for cross-site request forgery protection rails/rails#56350

Maybe there is something we can adopt?