Datasette has replaced traditional CSRF token protection with a modern approach using Sec-Fetch-Site headers, inspired by Go 1.25's implementation. This eliminates the need for hidden token inputs in forms and simplifies CSRF protection. The change was implemented with AI assistance and follows recent security research by Filippo Valsorda.
Background
CSRF (Cross-Site Request Forgery) protection is a critical web security measure that prevents unauthorized commands from being executed on behalf of authenticated users. Traditional implementations use tokens that must be included in forms and validated server-side.
- Source
- Simon Willison
- Published
- Apr 15, 2026 at 07:58 AM
- Score
- 6.0 / 10