datasette PR #2689: Replace token-based CSRF with Sec-Fetch-Site header protection

2026-04-14 · Source: Simon Willison's Weblog · Field: Technology & Digital — Software Development & Engineering, Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning · Depth: Advanced, quick

Summary

Datasette has replaced its token-based Cross-Site Request Forgery (CSRF) protection with a new system leveraging the `Sec-Fetch-Site` header, inspired by Filippo Valsorda's research and its implementation in Go 1.25. This change, documented in Datasette PR #2689, eliminates the need for CSRF tokens and the associated `` lines in templates, simplifying development. The update also removes the `skip_csrf` plugin hook and its related documentation and tests. The new approach is detailed in Datasette's updated CSRF protection documentation and its upgrade guide, with much of the implementation work attributed to Claude Code and cross-reviewed by GPT-5.4.

Key takeaway

For engineering teams building web applications, adopting `Sec-Fetch-Site` header-based CSRF protection, as demonstrated by Datasette and Go 1.25, can significantly streamline development by removing token management overhead. You should evaluate migrating from traditional CSRF tokens to this header-based approach to simplify your codebase and enhance security posture.

Key insights

Modern CSRF protection can effectively use the `Sec-Fetch-Site` header, simplifying web application security.

Principles

• Header-based CSRF protection reduces template complexity.
• External research can inform core security feature updates.

Method

Implement CSRF protection by validating the `Sec-Fetch-Site` header, removing token-based mechanisms, and updating related templates and plugin hooks.

In practice

• Review `Sec-Fetch-Site` header for CSRF defense.
• Eliminate CSRF tokens from forms and APIs.
• Simplify template rendering by removing hidden fields.

Topics

• CSRF Protection
• Sec-Fetch-Site Header
• Datasette
• Go 1.25
• Web Security

Code references

• simonw/datasette
• simonw/asgi-csrf

Best for: CTO, VP of Engineering/Data, Software Engineer, AI Security Engineer, AI Engineer

Related on AIssential

• CSP Allow-list Experiment — Dynamically managing CSP allow-lists in sandboxed iframes enhances user experience and application flexibility.
• Chrome stops hackers from stealing your browser cookies now - how its new security feature works — Device Bound Session Credentials (DBSC) cryptographically ties browser cookies to a device's security chip, preventing their use if stolen.
• LinkedIn Leverages GitHub Actions, CodeQL, and Semgrep for Code Scanning — LinkedIn modernized its SAST pipeline using GitHub Actions, CodeQL, and Semgrep for consistent, scalable, and developer-friendly code security.
• CrowdStrike launches Falcon Data Security for enterprise data protection — CrowdStrike's Falcon Data Security unifies real-time data protection across diverse digital and AI environments.
• BadHost Vulnerability Exposes AI Agents, Evaluators, and LLM Gateways — Malformed HTTP Host headers in Starlette enable authentication bypass by shifting URL path interpretation.
• Securing the Distributed Ecosystem: A Deep Dive into Spring Security and Stateless JWT — Proper Spring Boot API security requires intentional design using BCrypt for passwords and stateless JWTs with custom validation.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Simon Willison's Weblog.