1. Amon2::Plugin::Web::CSRFDefender was removed from Amon2 core distribution. Amon2::Plugin::Web::CSRFDefender is no longer default CSRF defender module in Amon2. I suggest to use HTTP::Session2. If you still use Amon2::Plugin::Web::CSRFDefender, you need to write dependency explicitly in your cpanfile. 2. Latest Amon2::Plugin::Web::CSRFDefender is bit secure. @mala says Amon2::Util::random_string