How to best prevent CSRF attacks in a GAE app?

Question

So, what is the best way to prevent an XSRF attack for a GAE application? Imagine the following:

1. Anyone can see a user\'s public object, and the db.Model id is us

Answer 1

Simple: Check the referer. It's (deliberately) impossible to set this using Javascript, HTML forms, etc. If it's blank (some proxies and browsers strip referers) or from your own site - or more specifically from the expected source - allow it. Otherwise, deny it and log it.

Edit: Jeff wrote a followup article with a couple of ways to prevent CSRF attacks.