This will allow us to impose stricter rate limits for general API
traffic, without affecting interactive API requests made by the
frontend during normal GitLab usage.

The frontend requests are identified by the inclusion of a CSRF token
in the headers.

Other rate limits that only affect a subset of API requests (e.g. the
Files and Packages APIs, or protected paths) are affected by this too,
i.e. requests for these paths with a CSRF token will always be counted
as web traffic, if the web rate limit is enabled.

Changelog: changed