Plain 0.58.0 includes completely rewritten CSRF protection — no more {{ csrf_input }} needed!

This mostly relies on the modern Sec-Fetch-Site header and some great research by Filippo Valsorda (https://words.filippo.io/csrf/), and the new csrf middleware in Go 1.25.