restrict access to cookies

https://docs.djangoproject.com/en/3.1/ref/settings/#csrf-cookie-samesite

Whether we need JS to access cookies depends more on the application than on the specific deployment, so I added this to settings/default.py rather than example_deployment/settings.py.