sections: upgrade_guide:security-properties
This data as json
| id | page | ref | title | content | breadcrumbs | references |
|---|---|---|---|---|---|---|
| upgrade_guide:security-properties | upgrade_guide | security-properties | Security properties | For defense-in-depth the ds_actor and ds_messages cookies continue to be set with SameSite=Lax (Datasette's long-standing default). This means a genuine cross-site POST from an attacker's page would arrive without the user's authentication cookie even if the header check somehow failed. | ["Upgrade guide", "Datasette 1.0a20 plugin upgrade guide", "CSRF protection is now header-based"] | [] |