If you are using JSF 2.2 you can use its embedded feature to protect GET requests (Including Ajax calls) :
- At faces-config file add the following snippet :
Thank you, Ibrahim.
Do you mean that JSF already enables CSRF protection by default for POST requests?
Yes Sergey, JSF by default protect applications from XSS and CSRF (post request).