Protection against CSRF

It's quite difficult to protect against CSRF because you are performing actions on the attackers behalf, there are a couple of things you can do to help protect against it and I shall explain a couple of methods here.

Form tokens

Form tokens can be used to make it more difficult for an attacker to perform CSRF, an explanation on form tokens is available on a previous post. Using one will not make your site 100% secure against CSRF but it will help. Make sure a form token has a short expiry date, only valid for the user in question and is not sent using GET.

Random page names

When a user signs up to your service they can each be assigned a random URL which they use to perform any action. The random URL should only be available per session and should only be created when their username and password has been supplied.

Authentication

Asking for a username and password should always be done for sensitive operations, if authentication is required it makes it much more difficult for an attacker to manipulate a user's actions without a valid password.

Frame breaker

They are very old school but can be very effective in protecting against iframe attacks.

<pre lang="javascript"> if (top != self) { top.location.href = 'http://yoururl/'; } </pre>

Damage limitation

Amazon understand this very well and have designed their delivery system this way. For example if an attacker did manage to perform CSRF on a Amazon user to buy a book for instance, the attacker could only deliver to the user's assigned addresses. Even changing a delivery address requires credit card confirmation. This is good system design and provides good damage limitation.