In case you wonder what it is:
(Wiki) Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf1) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
Anyway, does anyone know of some good best practices ref docs?
Specifically, for Web Forms (if that really matters).
I would start at: Web Application Security Overview in the references there are a few useful links, some of which appear to be closed now. One good reference is: Bunch of references
I also recommend reviewing this search return:NIST gov is another good source especially.
Not certain which technology you are targeting, the nsa.gov has a large number of obscure references that are quite good.