Probably I asked about CSRF protection in the wrong place but then I found an answer by myself.
The toolkit provides a csrf() helper but unfortunately it is still undocumented. I think that using CSRF protection is one of the basic tools, along with input validation and sanitization, that helps to create secure themes and plugins.