CSRF Protection in 2026: How Datasette Dropped Tokens for Sec-Fetch-Site Headers
Datasette has replaced traditional CSRF tokens with Sec-Fetch-Site header validation, eliminating the need for hidden form fields and plugin hooks. This shift aligns with modern browser security standards and follows research by Filippo Valsorda.
CSRF Protection in 2026: How Datasette Dropped Tokens for Sec-Fetch-Site Headers
summarize3-Point Summary
- 1Datasette has replaced traditional CSRF tokens with Sec-Fetch-Site header validation, eliminating the need for hidden form fields and plugin hooks. This shift aligns with modern browser security standards and follows research by Filippo Valsorda.
- 2CSRF Protection in 2026: How Datasette Dropped Tokens for Sec-Fetch-Site Headers Datasette has revolutionized CSRF protection in 2026 by completely removing legacy CSRF tokens in favor of the browser-native Sec-Fetch-Site HTTP header.
- 3This shift, detailed in PR #2689 , eliminates the need for developers to manually inject hidden tokens into every form — a process that was error-prone, maintenance-heavy, and inconsistent across plugins.
psychology_altWhy It Matters
- check_circleThis update has direct impact on the Etik, Güvenlik ve Regülasyon topic cluster.
- check_circleThis topic remains relevant for short-term AI monitoring.
- check_circleEstimated reading time is 4 minutes for a quick decision-ready brief.
CSRF Protection in 2026: How Datasette Dropped Tokens for Sec-Fetch-Site Headers
Datasette has revolutionized CSRF protection in 2026 by completely removing legacy CSRF tokens in favor of the browser-native Sec-Fetch-Site HTTP header. This shift, detailed in PR #2689, eliminates the need for developers to manually inject hidden tokens into every form — a process that was error-prone, maintenance-heavy, and inconsistent across plugins.
Why CSRF Tokens Became a Liability
Before 2026, Datasette relied on the asgi-csrf library to generate and validate unique per-session tokens. Developers had to insert <input type="hidden" name="csrftoken" value="{{ csrftoken() }}"> into every HTML form, creating a significant burden. Even worse, API endpoints that needed to accept cross-origin requests required explicit opt-outs via the skip_csrf() plugin hook, increasing complexity and potential attack vectors.
Token-based systems were also vulnerable to misconfiguration — a single missing token in a template could expose an entire form to exploitation. As Filippo Valsorda noted in his 2025 essay, "CSRF tokens are a workaround for a browser design flaw — not a real fix."
How Sec-Fetch-Site Headers Deliver Simpler, Stronger Security
The Sec-Fetch-Site header is automatically included by all modern browsers (Chrome, Firefox, Safari, Edge) and indicates whether a request originated from the same site, a same-origin navigation, or an external origin. Datasette now validates this header server-side: if the value is same-site or same-origin, the request is allowed; if it’s cross-site, it’s blocked.
This approach is fundamentally more secure because:
- It requires no client-side changes — no templates, no JavaScript, no hidden inputs
- It’s enforced by the browser, not developer memory
- It cannot be bypassed by XSS (unlike tokens, which can be stolen)
- It naturally excludes non-browser clients like
curl— which is intentional, since they’re not human users
Impact on Datasette Plugins and Developers
This change has dramatically simplified plugin development. Plugin authors no longer need to:
- Inject CSRF tokens into dynamically generated forms
- Handle the
skip_csrf()hook for API endpoints - Debug template-related CSRF failures
The official Datasette CSRF documentation now provides a clear migration guide, including code examples for updating templates and plugins. For instance, removing the token line from a form is now the only required step:
<!-- BEFORE -->
<form method="post">
<input type="hidden" name="csrftoken" value="{{ csrftoken() }}">
<!-- form fields -->
</form>
<!-- AFTER -->
<form method="post">
<!-- CSRF protection is now automatic -->
<!-- form fields -->
</form>
AI-Assisted Development Accelerates Security Modernization
Simon Willison noted that the implementation of this change was significantly accelerated by AI-assisted programming. The bulk of the code — spanning ten commits — was generated by Claude Code, with final validation and architecture review handled by GPT-5.4 and human maintainers. This marks a pivotal moment for open-source security: AI is no longer just a productivity tool, but a reliable partner in hardening critical infrastructure.
Browser Compatibility and Real-World Adoption
The Sec-Fetch-Site header has been supported since 2021 across all major browsers and is now a W3C standard. According to MDN Web Docs, it’s available on 99% of active browser installations. Legacy systems or custom HTTP clients (like Python scripts or bots) don’t send the header — and Datasette intentionally ignores them, since CSRF protection targets human users, not programmatic access.
This move mirrors the broader industry shift seen in Go 1.25, which now includes native Sec-Fetch-Site validation in its HTTP server stack — a strong signal of its maturity and reliability.
By removing CSRF tokens, Datasette isn’t just improving security — it’s reducing cognitive load for developers and setting a new standard for how modern web applications should defend against persistent threats. CSRF protection is no longer something you have to think about. It just works.
