send CSRF token in a response header,

update the page's CSRF tokens with the new token
from the response header,
verify csrf token in ajax endpoints,
initialize a session for every endpoint

ajax/bandwidth/get_bandwidth.php

@@ -1,8 +1,10 @@
 <?php
+
+require('includes/csrf.php');
+
 require_once '../../includes/config.php';
 require_once RASPI_CONFIG.'/raspap.php';
 
-session_start();
 header('X-Frame-Options: DENY');
 header("Content-Security-Policy: default-src 'none'; connect-src 'self'");
 require_once '../../includes/authenticate.php';

ajax/bandwidth/get_bandwidth_hourly.php

@@ -1,4 +1,7 @@
 <?php 
+
+require('includes/csrf.php');
+
 if (filter_input(INPUT_GET, 'tu') == 'h') {
 
 	header('X-Content-Type-Options: nosniff');

ajax/networking/gen_int_config.php

@@ -1,5 +1,7 @@
 <?php
-session_start();
+
+require('includes/csrf.php');
+
 include_once('../../includes/config.php');
 include_once('../../includes/functions.php');
 

ajax/networking/get_all_interfaces.php

@@ -1,4 +1,7 @@
 <?php
+
+    require('includes/csrf.php');
+
     exec("ls /sys/class/net | grep -v lo", $interfaces);
     echo json_encode($interfaces);
 ?>

ajax/networking/get_int_config.php

@@ -1,5 +1,7 @@
 <?php
-session_start();
+
+require('includes/csrf.php');
+
 include_once('../../includes/config.php');
 include_once('../../includes/functions.php');
 

ajax/networking/get_ip_summary.php

@@ -1,5 +1,7 @@
 <?php
-session_start();
+
+require('includes/csrf.php');
+
 include_once('../../includes/functions.php');
 
 if(isset($_POST['interface'])) {

ajax/networking/save_int_config.php

@@ -1,5 +1,7 @@
 <?php
-    session_start();
+
+    require('includes/csrf.php');
+
     include_once('../../includes/config.php');
     include_once('../../includes/functions.php');
     if(isset($_POST['interface'])) {