add algorithm-option, set default hash algorithm to sha256

[Uzlopak]

Motivated by the latest csurf sec. vuln.

snyk writes regarding csurf:

In particular, it doesn’t properly validate cookie values for the double submit cookie pattern, which results in attackers being able to spoof the CSRF token. Adding to the problem, it relies on a deprecated encryption algorithm (SHA1) for hashing CSRF tokens.

https://snyk.io/blog/explaining-the-csurf-vulnerability-csrf-attacks-on-all-versions/

I personally think sha1 or sha256 or whatever does not make a big difference as csrf is actually shortlived so there is no time to crack it actually. But this PR adds anyway the algorithm option.

It sets sha256 as default hash algorithm. It would be a breaking change, but people could upgrade and set the algorithm back to sha1 if they still want to use sha1.

It this gets merged, there would be a follow up PR for the csrf-protection package.

Checklist

• run npm run test and npm run benchmark
• tests and/or benchmarks are included
• documentation is changed or added
• commit message and code follows the Developer's Certification of Origin
  and the Code of conduct

[Uzlopak]

@climba03003
@mcollina
@Eomm
@jsumners

[mcollina]

I'm ok with making the default sha256

[Uzlopak]

@mcollina

Changed to use sha256 by defaultl