sections: changelog:csrf-protection-no-longer-uses-csrf-tokens
This data as json
| id | page | ref | title | content | breadcrumbs | references |
|---|---|---|---|---|---|---|
| changelog:csrf-protection-no-longer-uses-csrf-tokens | changelog | csrf-protection-no-longer-uses-csrf-tokens | CSRF protection no longer uses CSRF tokens | Datasette's token-based CSRF protection has been replaced with a mechanism based on the Sec-Fetch-Site and Origin request headers, which are supported by all modern browsers . See this article by Filippo Valsorda for more details of this approach. This removes the need for CSRF tokens in forms and AJAX requests. ( #2689 ) | ["Changelog", "1.0a27 (2026-04-15)"] | [{"href": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Site", "label": "supported by all modern browsers"}, {"href": "https://words.filippo.io/csrf/", "label": "this article by Filippo Valsorda"}, {"href": "https://github.com/simonw/datasette/pull/2689", "label": "#2689"}] |