CSRF, CORS, and HTTP Security headers Demystified