There's an interesting paper on CSRF mentioned on slashdot today: <http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf> It mentions Catalyst along with some other frameworks and suggests a way to build in CSRF-protection. Cheers, Dave