XSRF protection filter

[mattklein123]

cc @heston

Ideally, Envoy would handle the full XSRF lifecycle:

1. Send a cookie containing a cryptographic hash (XSRF token) on GET requests.

2. On PUT/POST/DELETE requests, Envoy would inspect various parts of the request looking for the token (XSRF_TOKEN header, encoded form body, json body).

3. Envoy would validate the token (hash is valid, not expired).

4. If valid, the request is passed to the origin.

5. If invalid, Envoy would send a 406 status.

We'd also need a way to opt-in/opt-out of xsrf protection for certain endpoints.

[stale]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.