Which of the following is a common defence mechanism against CSRF attacks?