Security fixes (#8081)

* use safeloader

* use json responses wherever possible

* remove CORS and add CSRF token

* formatting fixes

* add envjs back

* fix baseurl test

web/src/components/CameraImage.jsx

@@ -58,7 +58,7 @@ export default function CameraImage({ camera, onload, searchParams = '', stretch
     if (!config || scaledHeight === 0 || !canvasRef.current) {
       return;
     }
-    img.src = `${apiHost}/api/${name}/latest.jpg?h=${scaledHeight}${searchParams ? `&${searchParams}` : ''}`;
+    img.src = `${apiHost}api/${name}/latest.jpg?h=${scaledHeight}${searchParams ? `&${searchParams}` : ''}`;
   }, [apiHost, canvasRef, name, img, searchParams, scaledHeight, config]);
 
   return (