CSRF Defense. Use %POST% rather than %GET% in forms. Use %$_POST% rather than rely on %register_globals% (or %$_REQUEST%). Do not focus on convenience. Force the use of your own forms.