send CSRF token in a response header,

update the page's CSRF tokens with the new token
from the response header,
verify csrf token in ajax endpoints,
initialize a session for every endpoint

ajax/bandwidth/get_bandwidth.php

@@ -1,8 +1,10 @@
 <?php
+
+require('includes/csrf.php');
+
 require_once '../../includes/config.php';
 require_once RASPI_CONFIG.'/raspap.php';
 
-session_start();
 header('X-Frame-Options: DENY');
 header("Content-Security-Policy: default-src 'none'; connect-src 'self'");
 require_once '../../includes/authenticate.php';

ajax/bandwidth/get_bandwidth_hourly.php

@@ -1,4 +1,7 @@
 <?php 
+
+require('includes/csrf.php');
+
 if (filter_input(INPUT_GET, 'tu') == 'h') {
 
 	header('X-Content-Type-Options: nosniff');