{"ok": true, "database": "docs", "table": "sections", "rows": [{"id": "changelog:csrf-protection-no-longer-uses-csrf-tokens", "page": "changelog", "ref": "csrf-protection-no-longer-uses-csrf-tokens", "title": "CSRF protection no longer uses CSRF tokens", "content": "Datasette's token-based CSRF protection has been replaced with a mechanism based on the  Sec-Fetch-Site  and  Origin  request headers, which are  supported by all modern browsers . See  this article by Filippo Valsorda  for more details of this approach. This removes the need for CSRF tokens in forms and AJAX requests. ( #2689 )", "breadcrumbs": "[\"Changelog\", \"1.0a27 (2026-04-15)\"]", "references": "[{\"href\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Site\", \"label\": \"supported by all modern browsers\"}, {\"href\": \"https://words.filippo.io/csrf/\", \"label\": \"this article by Filippo Valsorda\"}, {\"href\": \"https://github.com/simonw/datasette/pull/2689\", \"label\": \"#2689\"}]"}], "primary_keys": ["id"], "primary_key_values": ["changelog:csrf-protection-no-longer-uses-csrf-tokens"], "query_ms": 21.611570002278313, "truncated": false}