@mlecchaslayer.bsky.social
Reposted
Does widespread browser implementation of the Sec-Fetch-Site HTTP header mean we can protect against CSRF attacks without needing those hidden form tokens? It looks like the answer may be a cautious "yes"! simonwillison.net/2025/Oct/15/...
A modern approach to preventing CSRF in Go
Alex Edwards writes about the new http.CrossOriginProtection middleware that was added to the Go standard library in version 1.25 in August and asks: Have we finally reached the point where …
simonwillison.net
October 15, 2025 at 5:07 AM
Does widespread browser implementation of the Sec-Fetch-Site HTTP header mean we can protect against CSRF attacks without needing those hidden form tokens? It looks like the answer may be a cautious "yes"! simonwillison.net/2025/Oct/15/...