Datasette Ditches CSRF Tokens for Sec-Fetch-Site Headers
Datasette replaces cumbersome token-based CSRF with Sec-Fetch-Site header checks—inspired by Go 1.25—eliminating form tokens and API exemptions for simpler security.
Token-Based CSRF Drawbacks and Replacement Rationale
Token-based CSRF protection in Datasette relied on the asgi-csrf library, requiring manual insertion of {% csrf_token %} tags across all forms and explicit disabling via a skip_csrf plugin hook for external API calls. This scattered complexity made maintenance painful, especially for browser-external integrations. The shift draws from Filippo Valsorda's August 2025 research essay and its Go 1.25 implementation, which leverages the Sec-Fetch-Site browser header to detect cross-site requests more reliably without tokens.
Key Code and Documentation Changes
Landed in PR #2689, the update introduces new ASGI middleware that enforces Sec-Fetch-Site validation, directly inspired by the referenced Go changes. All {% csrf_token %} instances are excised from templates, the skip_csrf(datasette, scope) hook is removed entirely (including its docs and tests), and CSRF documentation is overhauled to explain header-based mechanics. The upgrade guide explicitly flags this breaking change, ensuring plugin authors adapt without the old hook. Claude Code generated the 10-commit implementation under tight human guidance and GPT-5.4 review, with the author hand-writing the PR description for conciseness and accuracy.
Practical Outcomes for Datasette Users
Forms now work token-free, reducing template boilerplate and errors. APIs no longer need CSRF exemptions, streamlining cross-origin handling. This aligns Datasette with modern browser security signals, trading token overhead for header scrutiny—effective against CSRF while easing developer experience in Python/ASGI apps.