Require hard checks on JSON content type for any authentication endpoints #30
Description
All endpoints generally (if possible) and certainly any authentication endpoints should require a specific content type of JSON (application/json, or a subtype application/(([*])+)json, e.g., application/ld+json). No other types like text/plain should be permitted. This is to prevent CSRF (cross site request forgery) on all non-CORS-supported endpoints without needing to include additional CSRF protections like tokens, etc. The csrf library we're using here or in related layers has been deprecated and needs to be removed -- and we don't need it.