Currently there is no authentication / token support in how OC web talks to the OC agent.

Users could get customized security by proxying the OC agent behind their frontend web server, which could enforce things like CSRF protection and user authentication in an application-specific way.

This issue tracks creating an explanation for how to do this proxying and a detailed example of it.