Which measures are commonly used to protect against CSRF attacks in web apps?

Protecting against CSRF centers on making sure requests that change state truly come from the legitimate user and site, not from a attacker-controlled page. Anti-CSRF tokens embed a unique secret in each form or request and require the server to verify it on receipt; without that token, the forged request is rejected, so an attacker cannot perform actions on behalf of the user. Pairing this with same-site cookies further blocks cross-site requests by preventing the browser from sending the authentication cookie on requests initiated from another site, so even if a user is enticed to click something elsewhere, the site won’t see a valid session. Robust session handling reinforces this by using short-lived sessions, regenerating session identifiers after login or sensitive actions, and enforcing re-authentication for critical operations, which narrows the chance for an attacker to abuse an active session. Other options don’t provide the same protection. Server-side encryption protects data confidentiality, not the authenticity of requests. Client-side validation can be bypassed by an attacker since it relies on the client running code in the user’s browser. Increased logging helps detect incidents after they occur but doesn’t prevent CSRF attacks in real time.