[DOCS] Updates for API usage

[KOTungseth]

Summary

Replaces #38107. @dcode, I was unable to push to your branch, so I created a new PR.

Closes part of #19553.

Here is the original summary:

While trying to use the Kibana API for programmatically creating Spaces, I ran across an issue when using the examples and specifying the color that I pulled from the Kibana UI to manage spaces. Namely, the UI presents hex color codes in all caps, while the API only accepts lower case hex. Secondly, there's no documentation (that I could find) that specified that both the kbn-xsrf and Content-Type headers are required.

[skip ci]

Checklist

Use strikethroughs to remove checklist items you don't feel are applicable to this PR.

- [ ] This was checked for cross-browser compatibility, including a check against IE11
- [ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)

• Documentation was added for features that require explanation or tutorials
  - [ ] Unit or functional tests were updated or added to match the most common scenarios
  - [ ] This was checked for keyboard-only and screenreader accessibility

For maintainers

• This was checked for breaking API changes and was labeled appropriately
• This includes a feature addition or change that requires a release note and was labeled appropriately

[elasticmachine]

Pinging @elastic/kibana-docs (Team:Docs)

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[legrego]

Namely, the UI presents hex color codes in all caps, while the API only accepts lower case hex

This limitation/bug was fixed in #43470, and was released with 7.3.2

Secondly, there's no documentation (that I could find) that specified that both the kbn-xsrf and Content-Type headers are required.

kbn-xsrf is required by default for API calls, unless:

1. The call is a GET or HEAD request
2. or the path is explicitly whitelisted via server.xsrf.whitelist
3. or XSRF protections are explicitly disabled via server.xsrf.disableProtection (we don't recommend this either)

Instructions on how to whitelist API endpoints for server.xsrf.whitelist

Example whitelist setting:

Note: We don't recommend disabling protections for arbitrary API endpoints. We want to encourage users to supply the kbn-xsrf header instead of whitelisting endpoints whenever possible. There are some scenarios where whitelisting is required, however, such as SAML and OIDC setups

server.xsrf.whitelist: ["/api/security/v1/oidc", "/api/spaces/space"]

An example that uses request headers

Would something like this be helpful?

curl -X POST \
  http://localhost:5601/api/spaces/space \
  -H 'Content-Type: application/json' \
  -H 'kbn-xsrf: true' \
  -d '{
	"id": "sales",
	"name": "Sales",
	"description": "This is your Sales Space!",
	"disabledFeatures": []
}
'