I'm creating a website using backbone and node.js and don't think that by default there is any protection against CSRF. Is there a standard way to project against CSRF when using backbone with node.js? Thanks

You could simply ensure requests have the X-Requested-By header with the value XMLHTTPRequest. AJAX requests have cross-domain restrictions so if that header is present it was not e.g. a hidden form on a malicious website.

I don't know of anything specific for node.js + backbone, but you can use http://www.senchalabs.org/connect/middleware-csrf.html (assuming you're using express or something connect-compatible). You'll need to output the token somewhere in your html, like as a meta tag. Then you can modify the backbone sync method to pull that token and pass it to express via header, query, or form.

If the Allow-Origin header is set to something permissive (e.g., Allow-Origin:*) X-Requested-By will not prevent request forgeries. Any javascript running on another host will be able to craft requests that still enable request forgeries.