fix: prevent unrelated websites from modifying shortlinks via CSRF

Added two mitigations for this issue:

- Attach an 'X-Requested-With' header in client requests
- Make sure client POST requests have a content type of "application/json"

Author: midchildan

web/assets/lib/xhr.ts

@@ -48,7 +48,9 @@ namespace xhr {
 	export var create = (method: string, url: string) => {
 		var xhr = new XMLHttpRequest();
 		xhr.open(method, url, true);
-		return new Req(xhr);
+
+		var req = new Req(xhr);
+		return req.withHeader('X-Requested-With', 'XMLHttpRequest');
 	};
 
 	export var get = (url: string) => {