I’m developing a GWT app running on the Google App Engine and wondering if I need to worry about Cross-site request forgery or is that automatically taken care of for me?

For every RPC request that requires authentication, I have the following code:

public class BookServiceImpl extends RemoteServiceServlet implements
BookService {
    public void deleteInventory(Key<Inventory> inventoryKey) throws NotLoggedInException,  InvalidStateException, NotFoundException {
        DAO dao = new DAO();
            // This will throw NotLoggedInException if user is not logged in
        User user = dao.getCurrentUser();
            // Do deletion here
    }
}

public final class DAO extends DAOBase {
    public User getCurrentUser() throws NotLoggedInException {
            currentUser = UserServiceFactory.getUserService().getCurrentUser();
            if(currentUser == null) {
                throw new NotLoggedInException();
            }
        return currentUser;
    }

I couldn’t find any documentation on how the UserService checks authentication. Is it enough to rely on the code above or do I need to to more? I’m a beginner at this, but from what I understand to avoid CSRF attacks some of the strategies are:

1. adding an authentication token in
   the request payload instead of just
   checking a cookie
2. checking the HTTP
   Referer header

I can see that I have cookies set from Google with what look like SID values, but I can’t tell from the serialized Java objects in the payloads if tokens are being passed or not. I also don’t know if the Referer header is being used or not.

So, am I worrying about a non-issue? If not, what is the best strategy here? This is a common enough problem, that there must be standard solutions out there…