- Added CSRF exemption to all JWT-authenticated API endpoints
- API routes use JWT tokens, not session cookies, so CSRF protection is not needed