See https://incompleteness.me/blog/2007/02/07/csrf-protection/