With the advent of custom TLDs, phishing attack vectors are growing. Users no longer have to know what the domain is, they must now also be aware of all the domains and tlds a company owns.

For a long time, I didn't protect my actionable links from CSRF attacks. By actionable links, I mean links that will modify data on the server, e.g. "delete product", "publish post", "like". I'd always written these as regular "a href" links, but this can be a very easy to manipulate attack.