Draft: 2.x add config for cookie/jwt auth and check for CSRF token