Notes:

• https://en.wikipedia.org/wiki/Same-origin_policy
• https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
• https://en.wikipedia.org/wiki/Cross-site_request_forgery
• https://en.wikipedia.org/wiki/Cross-site_scripting
• https://www.youtube.com/watch?v=hW2ONyxAySY
• https://security.stackexchange.com/questions/157061/how-does-csrf-correlate-with-same-origin-policy
• https://stackoverflow.com/questions/33261244/why-same-origin-policy-isnt-enough-to-prevent-csrf-attacks
• http://mo.github.io/2017/02/20/cross-origin-resource-sharing.html
• https://security.stackexchange.com/questions/8264/why-is-the-same-origin-policy-so-important
• https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
• https://security.stackexchange.com/questions/91165/why-is-the-synchronizer-token-pattern-preferred-over-the-origin-header-check-to
• https://security.stackexchange.com/questions/23371/csrf-protection-with-custom-headers-and-without-validating-token
• https://stackoverflow.com/questions/11423682/cross-domain-form-posting
• https://www.exploit-db.com/exploits/18791/
• https://stackoverflow.com/questions/5710358/how-to-retrieve-post-query-parameters
• https://stackoverflow.com/questions/44816519/how-to-get-cookie-value-in-expressjs
• https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely
• https://security.stackexchange.com/questions/158045/is-checking-the-referer-and-origin-headers-enough-to-prevent-csrf-provided-that
• https://stackoverflow.com/questions/13147693/how-to-extract-request-http-headers-from-a-request-using-nodejs-connect
• https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/setRequestHeader
• https://stackoverflow.com/questions/3076414/ways-to-circumvent-the-same-origin-policy
• https://github.com/tymondesigns/jwt-auth
• https://www.npmjs.com/package/express-session
• https://medium.com/of-all-things-tech-progress/starting-with-authentication-a-tutorial-with-node-js-and-mongodb-25d524ca0359
• https://github.com/DDCSLearning/authenticationIntro
• https://jwt.io/introduction/
• https://www.owasp.org/index.php/HttpOnly