Avoiding XSRF

• Do not use state-changing GETs

• For forms, add a randomly named hidden field with a random value, associate those with a session and check them on FORM submission

• If app is susceptible to XSS, random name/values can be extracted from forms

• For extremely sensitive operations (changing password, others), require re-authentication