Missing CSRF protection

[mperham]

Kemal doesn't support sessions yet so we can't implement CSRF protection via a session-based authenticity token. We need to implement this once session support has been released.