Is your feature request related to a problem? Please describe.
It's currently impossible to natively secure a self-hosted installation of CSML server. Auth must be performed elsewhere (network, load balancer, etc.) which is less than ideal.

Describe the solution you'd like
Something like defining an API_KEY in the env and if set, requiring all requests to the server to have the X-Api-Key header set to the value of the API key would be nice.

To help with key rotation, we could also do a API_KEY=key1,key2 which allows both keys for the time of the rotation?