0.6

• Requests with an Authorization: Bearer xxx header are no longer subject to CSRF checks. #11
• Requests without cookies are no longer subject to CSRF checks unless the page path is explicitly listed in always_protect. #11