In what ways site administrators can detect incoming CSRF attacks?


You implement a CSRF token on every vulnerable form. When there is a CSRF error, it is logged, so you “detect” it (do note that it might be a false positive, such as having cleared the cookies). If you protect from CSRF attacks, I don’t think it would be woth preparing such attack, as it won’t work.

You might do some checks based on Referer header, which could allow you to detect certain CSRF attacks. Although that depends on the browser and settings, if there’s no referer header (which could be suppressed by the attacking page on modern brower) you would receive no information.