CSRF Protection — No Tokens?
Modern browsers send Sec-Fetch-Site metadata that lets servers reject cross-site requests as CSRF protection. Microdot implements this with an Origin fallback and a configurable subdomain policy.
I paused a token-heavy CSRF build after finding a browser header that can do the job. One header turned a tedious feature into a simple security shortcut.
Modern browsers send Sec-Fetch-Site metadata that lets servers reject cross-site requests as CSRF protection. Microdot implements this with an Origin fallback and a configurable subdomain policy.
Source: miguelgrinberg.com — Source link
Highlights
| Metric | Value | Notes |
|---|---|---|
| Fetch-metadata method | Uses the Sec-Fetch-Site header to detect and block cross-site requests | |
| Browser support note | Mozilla: browsers released since March 2023 include Sec-Fetch-Site | |
| Header values | same-origin, same-site, cross-site, none | Sec-Fetch-Site cannot be set via JavaScript |
| Microdot default behavior | Added allow_subdomains argument; default False (blocks same-site/subdomain requests) | |
| Fallback for older browsers | Use the Origin header when Sec-Fetch-Site is not present | Origin includes scheme; comparing Origin vs Host is non-trivial |
| OWASP status update | OWASP CSRF Cheat Sheet was updated to mention fetch-metadata | As of December 24th 2025 the Cheat Sheet lists Fetch Metadata as a complete alternative |
Key points
- Sec-Fetch-Site is a browser-set header that indicates request context and cannot be forged by page JavaScript.
- Rejecting requests with Sec-Fetch-Site == cross-site provides a practical CSRF defense for browser clients.
- Some applications may also block same-site to prevent subdomain-origin attacks; Microdot defaults to blocking subdomains.
- Not all browsers implemented Sec-Fetch-Site at the same time (Safari added it in 2023), so an Origin-header fallback is recommended.
- Comparing Origin against Host is error-prone because Origin includes scheme and Host can be modified by proxies; explicit allowed origins simplify validation.
- Microdot re-used its CORS allowed-origins list to validate Origin as the fallback trust list.
- The OWASP CSRF Cheat Sheet discussion shifted the method from a defense-in-depth note toward being treated as an alternative to token-based approaches.
Timeline
- early November — Author started implementing token-based CSRF protection for Microdot and consulted the OWASP CSRF Cheat Sheet.
- early December — A Flask issue proposing 'modern' CSRF protection led to wider community discussion and an OWASP mention of fetch-metadata.
- December 24th 2025 — OWASP CSRF Cheat Sheet lists Fetch Metadata method as a complete alternative (article notes this update).
Why this matters
Using browser-provided fetch-metadata can simplify CSRF defenses, reduce implementation complexity, and avoid token bookkeeping — but it requires careful handling of subdomains and fallbacks for older browsers. Changes in standards and OWASP guidance affect compliance and deployment choices for web apps and frameworks.
