sections: internals:internals-csrf
This data as json
| id | page | ref | title | content | breadcrumbs | references |
|---|---|---|---|---|---|---|
| internals:internals-csrf | internals | internals-csrf | CSRF protection | Datasette protects against Cross-Site Request Forgery by inspecting the browser-set Sec-Fetch-Site and Origin headers on every unsafe (non- GET / HEAD / OPTIONS ) request, following the approach described in Filippo Valsorda's article and implemented in Go 1.25's http.CrossOriginProtection . A request is rejected with a 403 response if: It carries Sec-Fetch-Site with any value other than same-origin or none , or It has no Sec-Fetch-Site header but does carry an Origin header whose host does not match the request Host . Requests from non-browser clients ( curl , server-to-server scripts, etc.) do not send Sec-Fetch-Site or Origin and pass through unchanged - CSRF is a browser-only attack. No token, cookie, or hidden form field is needed. Any <form method="POST"> inside Datasette or a plugin will be accepted from the same origin without modification. | ["Internals for plugins"] | [{"href": "https://words.filippo.io/csrf/", "label": "Filippo Valsorda's article"}] |