This app completely breaks protection against password bruteforcing and other security hardening, don't use it.
Because the time spend checking password adds noise to benchmarking, and CSRF checks are annoying when trying to test and api endpoint.
The password bruteforce protection bypass is enabled automatically, the CSRF bypass is enabled by setting a non-empty CSRF
header.