One of the things that attracted me to django was it's built-in
support for many things like CSRF protection. I've been working under
the assumption that my production code is safe in that regard, site
wide.
If you have the same assumption, check out
http://djangoadvent.com/1.2/django-12-and-csrf/,
which offers a good background in CSRF protection in django, why it
wasn't up to snuff, and how it is now better. But more importantly, it
wasn't until reading it that I discovered I now have to add {%
csrf_token %} to any form on which you want to have CSRF protection.