Cookie + request parameter
A useful trick is to use a random-id cookie, and have javascript add a copy of the cookie value to the page submission as a form field or GET url parameter. Then have the server reject the request if either the cookie or form field is missing, or they do not match.
This blocks a lot of CSRF attacks, because although the browser will happily include your server's cookie for requests sent to your server from a page on another domain, javascript on that page cannot access the cookie for your domain due to the same origin policy, hence it cannot set the extra form field.