@simonwillison.net on Bluesky

JavaScript RequiredThis is a heavily interactive web application, and JavaScript is required. Simple HTML interfaces are possible, but that is not what this is. Learn more about Bluesky at bsky.social and atproto.com.

Post

Simon Willison

simonwillison.net

did:plc:kft6lu4trxowqmter2b6vg6z

Does widespread browser implementation of the Sec-Fetch-Site HTTP header mean we can protect against CSRF attacks without needing those hidden form tokens? It looks like the answer may be a cautious "yes"! https://simonwillison.net/2025/Oct/15/csrf-in-go/

2025-10-15T05:07:58.687Z