FYI, Q2A doesn't currently have CSRF protection. There are no GET requests with side-effects in Q2A, so only POST attacks would be an issue - these are somewhat harder to pull off, but still a possibility.
With CSRF, it's only possible to attack a specific Q2A site, not all Q2A sites in general. So it shouldn't be a major concern unless your site has a very high profile within some specific community, many of whose members also hang out a lot at some other specific site, and where that other site owner is a nasty piece of work.
Still, this should be addressed in a future version.