CSRF attacks are another popular way applications can be overtaken, by forcing a user with elevated privileges to execute unwanted actions on their own site. Usually, this happens when certain URLs on the application trigger a process simply by being accessed through the browser (and being authenticated)--for example, deleting a resource.
The most important thing to consider in this respect is to never have such actions happening simply by accessing a URL. To help with this, we have the powerful Form API, which already had token-based CSRF protection embedded from previous versions of Drupal. So basically you can create forms whose submit handlers perform the potentially damaging actions (as we learned in ...