* feat(security): set SameSite=strict on session cookie
Use SameSite=Strict as a hardening measure against cross-origin attacks.
While browsers have been moving to default to SameSite=Lax, explicitly
setting SameSite ensures that all browsers enforce it consistently.
While 'lax' is a reasonable hardening choice, the cookie is only
required for requests to '/api/...' and we don't expect 3rd party links
into '/api/...', so this stricter setting should be safe in terms of
usability. Furthermore, while our GET APIs are not state-changing, using
'strict' future-proofs us in case we add a state-changing GET API ('lax'
allows cross-origin 'GET' requests for increased usability for read-only
requests).
Also add a comment to SetCORS() lack of Access-Control-Allow-Credentials
as a reminder that its omission is intentional for defense in depth on
when to attach the cookie to a request.
* chore: mention that Lax sends the cookie with other safe HTTP methods
c40ad64604