There are many approaches to preventing CSRF. The security measures implemented by this middleware are:
When running under HTTPS - which you 100% should be doing in production, then
most browsers send
origin and / or
referer headers (source).
This is used to detect if requests are coming from a different domain.