Turn on CSRF protection

[jlfwong]

Flow has been CSRF vulnerable since forever ago 😄

Here's an example CSRF attack that when loaded in a user's browser while they're logged into flow will add the Security course to their shortlist.

<!-- uwflow-xsrf.html -->
<style type="text/css">
iframe {
    position: absolute;
    top: 0;
    left: -9000px;
}
</style>
<h1>Nothing Suspicious Here</h1>
<iframe src="uwflow-xsrf-frame.html"></iframe>

<!-- uwflow-xsrf-frame.html -->
<script>
window.onload = function() {
    var form = document.getElementById("frm");
    form.submit();
};
</script>
<form action="http://localhost:5000/api/user/add_course_to_shortlist" method="POST" id="frm">
    <input type="hidden" name="course_id" value="cs458" />
    <input type="submit" />
</form>

Test Plan

Loaded the above POC exploit before this patch, saw that it added the security course.

Applied patch, deleted account using tools/devshell.py, recreated account, ensured that I was still able to import transcript and add ratings to courses.

Loaded the above POC again, saw that it hit a 403 by looking at the network panel in the chrome devtools.

[divad12]

nit: originating

[divad12]

LGTM, thanks!