Securing your Web API

You are working on a Web API that will store stats for a new game that you will release as an app for various platforms and as a web application. Users first need to register before they can play games and share their achievements with other users.

Can you use Windows Authentication?
Do you need to protect yourself against XSRF?
Is CORS important for your back end?