Odoo URLs are CSRF-protected by default (when accessed with unsafe

HTTP methods). See

https://www.odoo.com/documentation/9.0/reference/http.html#csrf for

more details.

* if this endpoint is accessed through Odoo via py-QWeb form, embed a CSRF

  token in the form, Tokens are available via `request.csrf_token()`

  can be provided through a hidden input and must be POST-ed named

  `csrf_token` e.g. in your form add:

      <input type="hidden" name="csrf_token" t-att-value="request.csrf_token()"/>

* if the form is generated or posted in javascript, the token value is

  available as `csrf_token` on `web.core` and as the `csrf_token`

  value in the default js-qweb execution context

* if the form is accessed by an external third party (e.g. REST API

  endpoint, payment gateway callback) you will need to disable CSRF

  protection (and implement your own protection if necessary) by

  passing the `csrf=False` parameter to the `route` decorator.