Form can be protected against Cross-Site Request Forgery (CSRF) attacks using an authorization token that is generated on the server, rendered in a hidden form field and then validated during form submission (when the bind method is called). All you must to do for such a protection is:
FormMapping<Registration> filledForm = registrationForm.fill(formData, LOCALE, new ServletRequestContext(request));
RequestContext serves as an entry point to request-specific data that is used by the library and in this case Formio can use it to store the secret for the generated token into the user session. Token is unique for each user and for each rendering (filling) of the root form mapping. Secret for the token is cleared from the user session after the form (root mapping) is processed.