Certain API endpoints are vulnerable against CSRF attacks.

[svgils]

API endpoints that both enable CORS and allow every (*) origin, as well as require authentication, are susceptible to Cross Site Request Forgery attacks.
This can happen since the browser will attach the authentication cookies to every request to the LXCat domain. By allowing every origin, this can give malicious 3rd parties access to unauthorized data through the use of the logged in users' credentials.

Possible solutions:

1. Use (anti)-CSRF tokens. These tokens get sent when a session is created (not as a cookie!), and are added to the query part of the request URL. This works since scripts on 3rd party domains do not have access to this token, and thus can not add the correct token to the request.
2. Ignore session cookies when the request origin is foreign, only accept access token. ( Would still be susceptible to origin spoofing. Although browsers don't allow this, man in the middle attacks are still a risk. )

[svgils]

It seems there is already a csrf-token cookie present besides the session-token, and both cookies have the SameSite policy set to Lax, meaning it will only be included with requests originating from the LXCat domain. However, since older browsers might not have support for the SameSite cookie policy, it might still be necessary to move the csrf-token out of the cookies.
Current support for SameSite encompasses approximately 95% of all users.