fix(api): csurf to SameSite 'strict', https only (#39077)

Lax and http are probably sufficient, but if the stricter versions work
there's no harm using them.

api-server/server/middlewares/csurf.js

@@ -3,7 +3,9 @@ import csurf from 'csurf';
 export default function() {
   const protection = csurf({
     cookie: {
-      domain: process.env.COOKIE_DOMAIN || 'localhost'
+      domain: process.env.COOKIE_DOMAIN || 'localhost',
+      sameSite: 'strict',
+      secure: true
     }
   });
   return function csrf(req, res, next) {