In the course of implementing CSRF defenses in the extremely broad (over 3000 web applications) and diverse environment that is the NIH, I have found that not all CSRF defenses are created equal. A lot of research, experimentation, and conversations with vendors and developers have yielded an understanding of the wide variety of csrf defenses and their tradeoffs, which I would like to share with the industry at large.