I don’t think CSRF has anything to do with those?
The endpoints serving those links can't be protected as well. Unless they serve a form that posts, which may not be legal if it requires extra clicks
The endpoints serving those links can't be protected as well. Unless they serve a form that posts, which may not be legal if it requires extra clicks