Requests that execute transactions must not follow any distinguishable pattern.
CWE-352: Cross-Site Request Forgery (CSRF). The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
OWASP-ASVS v4.0.1 V4.2 Operation Level Access Control.(4.2.2) Verify that the application or framework enforces a strong anti-CSRF mechanism to protect authenticated functionality, and effective anti-automation or anti-CSRF protects unauthenticated functionality.
PCI DSS v3.2.1 - Requirement 6.5.9 Address common coding vulnerabilities in software-development processes such as cross-site request forgery (CSRF).