Simon WillisonProductsTuesday, April 14, 2026

datasette PR #2689: Replace token-based CSRF with Sec-Fetch-Site header protection

AI-Generated Summary

Datasette is shifting its CSRF protection mechanism from traditional token-based validation to a more modern approach using the Sec-Fetch-Site HTTP header. The previous token-based system, implemented through the asgi-csrf Python library, required developers to add CSRF tokens to forms throughout templates, creating friction in the development process and adding complexity to the codebase.

The Sec-Fetch-Site header is a browser-supplied security header that automatically identifies whether a request originates from the same site, a cross-site source, or a user-initiated navigation. This approach eliminates the need for manual token insertion in forms, reducing boilerplate code and simplifying template management while maintaining equivalent security against cross-site request forgery attacks.

This change reflects a broader industry trend toward leveraging modern browser security features to replace older workaround mechanisms. By adopting Sec-Fetch-Site validation, Datasette improves developer experience and code maintainability without sacrificing security, though it does require that users' browsers support these headers—a consideration for applications serving legacy browser environments.

Key Takeaways

Datasette is shifting its CSRF protection mechanism from traditional token-based validation to a more modern approach using the Sec-Fetch-Site HTTP header.
The previous token-based system, implemented through the asgi-csrf Python library, required developers to add CSRF tokens to forms throughout templates, creating friction in the development process and adding complexity to the codebase.
The Sec-Fetch-Site header is a browser-supplied security header that automatically identifies whether a request originates from the same site, a cross-site source, or a user-initiated navigation.
This approach eliminates the need for manual token insertion in forms, reducing boilerplate code and simplifying template management while maintaining equivalent security against cross-site request forgery attacks.

Read the full article on Simon Willison

Read on Simon Willison

Simon Willison10m ago

datasette.io news preview

Products

Tool: datasette.io news preview The datasette.io website has a news section built from this news.yaml file in the underlying GitHub repository. The YAML format looks like this: - date: 2026-04-15 body: |- [Datasette 1.0a27](https://docs.datasette.io/en/latest/changelog.html#a27-2026-04-15) changes...

The Register1 day ago

AI-powered mainframe exits are a bubble set to pop: Gartner

Products

Gartner warns that artificial intelligence solutions marketed for mainframe migration are experiencing inflated expectations that will likely lead to widespread failures. The analyst firm predicts that approximately 70 percent of AI-powered mainframe exit projects will fail, and roughly 75 percent of vendors operating in this space will disappear from the market. This represents what Gartner characterizes as a bubble in the emerging sector of AI-driven legacy system modernization.

Simon Willison1 day ago

Zig 0.16.0 release notes: "Juicy Main"

Products

Zig programming language has released version 0.16.0, featuring a notable new capability called "Juicy Main," which implements dependency injection functionality. This feature allows developers to inject dependencies directly into main functions, streamlining code organization and reducing boilerplate. The release maintains Zig's reputation for comprehensive and detailed release notes that include practical usage examples for new features.

Hugging Face18h ago

Meet HoloTab by HCompany. Your AI browser companion.

Products

HCompany has launched HoloTab, an AI-powered browser companion that integrates artificial intelligence directly into web browsing to assist users with tasks, information retrieval, and navigation. This represents the growing trend of embedding AI agents into everyday digital tools, competing with similar initiatives from major tech companies to make AI assistance ambient and always-accessible rather than confined to separate applications.

Wired18h ago

The Deepfake Nudes Crisis in Schools Is Much Worse Than You Thought

Products

An investigation by WIRED and Indicator has documented a significant and widespread problem involving AI-generated deepfake nude images in schools globally. The analysis identified nearly 90 schools and approximately 600 students affected by the creation and distribution of these non-consensual intimate images, revealing that the issue is far more extensive than previously understood.