Remove CSRF protection

[chriddyp]

Besides the GET of index.html, Dash only supports POST requests with application/json. These are actually unsusceptible to CSRF attacks according to https://security.stackexchange.com/questions/23371/csrf-protection-with-custom-headers-and-without-validating-token/58308#58308. Based off of this, I believe that we should be able to remove CSRF protection and therefore will not require users to create a app.server.config.SECRET_KEY.

[ned2]

I don't know enough about CSRF to comment on whether that makes sense, but if that's the case, then yeah I definitely reckon it should go. It caused me a lot of hassles working out that I needed to set the secret key, and it's something I've seen coming up a fair bit as an issue for people on the community forums. Would save a bit of headache potentially.