including a CSRF prevention token in POST requests and validating it on the server by overriding DefaultRequestTransport and RequestFactoryServlet seems to be simple enough.
However, I have one remaining issue: How can I generate the token and get it to the client the first place?
It is quite possible, ney likely, that I have missed something obvious. I am assuming that I need to create the token when the session is created on the server, store it in the session and pass it to the client.
The client then stores the token in a cookie and passes the token in request headers from that point onwards.
Is there a filter of some sort which I can use to provide the tokens?
If you were using RPC, you can read this document, it has example code for implementing it.
For RF, this question could be helpful.