Which practice best prevents Cross-Site Request Forgery (CSRF) attacks?
Including CSRF tokens in forms and headers is the most effective way to prevent CSRF attacks. These tokens should be: 1) Unique per session/request, 2) Included in a custom header for AJAX requests, 3) Validated on the server side, 4) Generated with strong randomness. This ensures that requests can only come from your legitimate application, not from malicious sites.