{"id": "internals:internals-csrf", "page": "internals", "ref": "internals-csrf", "title": "CSRF protection", "content": "Datasette uses  asgi-csrf  to guard against CSRF attacks on form POST submissions. Users receive a  ds_csrftoken  cookie which is compared against the  csrftoken  form field (or  x-csrftoken  HTTP header) for every incoming request. \n             If your plugin implements a  <form method=\"POST\">  anywhere you will need to include that token. You can do so with the following template snippet: \n             <input type=\"hidden\" name=\"csrftoken\" value=\"{{ csrftoken() }}\"> \n             If you are rendering templates using the  await .render_template(template, context=None, request=None)  method the  csrftoken()  helper will only work if you provide the  request=  argument to that method. If you forget to do this you will see the following error: \n             form-urlencoded POST field did not match cookie \n             You can selectively disable CSRF protection using the  skip_csrf(datasette, scope)  hook.", "breadcrumbs": "[\"Internals for plugins\"]", "references": "[{\"href\": \"https://github.com/simonw/asgi-csrf\", \"label\": \"asgi-csrf\"}]"}