Issue #2753681 by tedbow, Wim Leers, dawehner, neclimdul, catch: Move CSRF header token out of REST module so that user module can use it, as well as any contrib module