I think that one of the best is whitelist, where you define what domains you allow to use your cas.
Right now this feature is in review stage and soon will be integrated with the main branch.
Is not the best implementation but only one which we have right now on the way :)
But we work on that.
If you have any other ideas what kind of solution we could have, feel free to share.
Best regards