SeaSurf and CSRF protection of forms
CSRF protection adds security to your site by proving that a POST submission came from your site, and not a carefully crafted web form on another site designed to maliciously exploit the POST endpoints on your blog. These malicious requests can even work around authentication if your browser still considers you logged in.
The way we avoid this is to add a special hidden field to any form on the site that has a value in it, generated by the server. When the form is submitted, the value in the special field can then be checked against the values generated by the server and, if it matches, we can continue with the form submission. If the value does not match or is non-existent, the form has come from an invalid source.
Note
What CSRF protection actually proves is that the template, with the CSRF field in it, was used to generate the form. This mitigates the most basic of CSRF attacks from other sites but isn't conclusive in validating that the form submission...
