restrict access to cookies
https://docs.djangoproject.com/en/3.1/ref/settings/#csrf-cookie-samesite
Whether we need JS to access cookies depends more on the application than on the specific deployment, so I added this to settings/default.py
rather than example_deployment/settings.py
.