What two things do you need to do to protect an application from CSRF attacks?

Never

$1.$ During login

$2.$ When dealing with sensitive data

$1.$ Create a random CSRF token every time you're asking the user for data

$2.$ Validate the random token every time you deal with data

$1.$ Creating a cookie

$2.$ Validating the cookie