The AppScan report insists that my site have some problems with Cross Site Request Forgery.

1-) Using token on forms is a good solution but in the report there are pages without forms like "Logout" page. It just kills the session and that's all, how can CSRF utilize there I don't understand.

2-) Checking "Referer" is a good solution? Everyone says no. And "Referer Header" is not always present.

3-) Same-Site Cookies is shown as the ultimate solution but I don't use cookies at all.

What needs to be done to mitigate CSRF?