Without those headers, you can as a fallback compare the Origin header to the Host header.

See https://words.filippo.io/csrf/