The goal of a web-request forgery attacker is to manipulate the intended workflow of a web application. Applications that fail to enforce the designer-intended interactions are vulnerable to this type of attack. This paper proposes a systematic methodology for designing web applications to strictly enforce the designer-intended interactions. Our approach captures workflow using the Web DFA model and applies four design patterns to strictly enforce the intended interactions. We argue that using patterns in conjunction with a Web DFA model produces web applications that are secure from request forgery attacks by construction; more-over, our mechanism could be useful in designing workflow-based applications in other domains.