For implementing CSRF (Cross-Site Request Forgery) protection correctly, especially in forms like promotion code submissions during checkout, best practices include:

Option A (Ensure the CSRF protection is validated on form submission): It is crucial to validate the CSRF token upon the form's submission to ensure that the request originates from a legitimate source and corresponds to the user's intended actions, enhancing security against CSRF attacks.

Option D (Only use POST methods over HTTPS): Using POST methods for transmitting form data helps mitigate the risk of CSRF attacks as opposed to GET methods which can be manipulated more easily via URL. Ensuring the communication is over HTTPS encrypts the transmission, securing the data from interception or tampering during transit.

These practices safeguard against common security vulnerabilities and ensure that the application adheres to secure coding standards.