Option for double submit verification on protected endpoints

[vimalloc]

Want to allow the option to store the jwt in cookie instead of local storage on a web browser (see https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage).

If we do it that way, we need to enable additional security to prevent against csrf (see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)

There are probably other ways and options to protect against this stuff as well. I should do some more research on the matter before starting on this.