feat: csrf tokens handling

api/parameters/xsrf_token_header.yaml

@@ -0,0 +1,10 @@
+name: X-XSRF-TOKEN
+in: header
+required: true
+schema:
+  type: string
+  pattern: "^[a-zA-Z0-9_-]{32,64}$"
+description: |
+  Anti-CSRF token. Must match the `XSRF-TOKEN` cookie.
+  Required for all state-changing requests (POST/PUT/PATCH/DELETE).
+example: "abc123def456ghi789jkl012mno345pqr"