I happened upon Cross-Site Request Forgery Prevention Cheat Sheet in my travels.
Tag Archives: xsrf
CSRF, CORS, and HTTP Security headers Demystified
This on Hacker News today: CSRF, CORS, and HTTP Security headers Demystified.
The above article referred to OWASP SameSite doco, and you can read about how to implement that with PHP.