CSRF protection on single page app API