AISimon Willison3h ago
datasette PR #2689: Replace token-based CSRF with Sec-Fetch-Site header protection
TL;DRDatasette ditches CSRF tokens for simpler browser header-based protection.
Why it matters: Reduces complexity for developers while maintaining security against cross-site attacks.
datasette PR #2689: Replace token-based CSRF with Sec-Fetch-Site header protection Datasette has long protected against CSRF attacks using CSRF tokens, implemented using my asgi-csrf Python library. These are something of a pain to work with - you need to scatter forms in…
Read full articleSource: Simon Willison · Opens in new tab