Skip to content

[Research] Modern CSRF protection via Sec-Fetch-Site in security-checklist#48

Closed
OktayCopurlu wants to merge 1 commit into
mainfrom
research/csrf-sec-fetch-site-checklist
Closed

[Research] Modern CSRF protection via Sec-Fetch-Site in security-checklist#48
OktayCopurlu wants to merge 1 commit into
mainfrom
research/csrf-sec-fetch-site-checklist

Conversation

@OktayCopurlu
Copy link
Copy Markdown
Owner

@OktayCopurlu OktayCopurlu commented Apr 24, 2026

What

Add a new CSRF Protection (Fetch Metadata) subsection to references/security-checklist.md with 7 checklist items covering the modern header-based approach to CSRF: Sec-Fetch-Site enforcement, Origin fallback for older clients, safe-method bypass, and SameSite cookies as defense-in-depth.

Why

Token-based CSRF is now legacy for most new services:

  • Browsers have sent Sec-Fetch-Site on every request since Safari 16.4 (March 2023) — coverage is effectively universal.
  • Go 1.25 promoted this pattern to stdlib as net/http.CrossOriginProtection (August 2025), replacing the "use a framework" advice the Go team had given for a decade.
  • Filippo Valsorda (Go cryptography lead) published a detailed rationale explaining why the CSRF-token era is ending.
  • Real-world adoption is live: Datasette PR #2689 (merged April 2026) replaced its token middleware with Fetch Metadata checks.

Our security-checklist.md previously had no CSRF entry at all — only a single CORS line. Agents reviewing code today will miss CSRF concerns entirely, or worse, cargo-cult a token library when a 3-line middleware suffices.

Evidence

Score (7-dimension rubric)

  • Signal quality: 2 — Go stdlib + maintainer essay + shipped production adoption
  • Actionability: 2 — 7 concrete checklist items, immediately usable in review
  • Durability: 2 — Browser-level primitive, not tool-specific; Fetch Metadata is a stable W3C pattern
  • Non-duplication: 2 — grep -i \"csrf\\|sec-fetch\\|same-site\" references/ skills/ prompts/ returned zero hits before this change
  • Evidence quality: 2 — 5 independent Tier 1/2 sources across vendor docs, standards, and production code
  • Clarity: 2 — Fits the existing checklist format exactly (bullet list under H2)
  • Repo Fit: 2 — Extends an existing reference file consumed by reviewing-code and security-hardening skills; no new file, no README update needed

Total: 14/14

Change

One file modified: references/security-checklist.md — inserted new subsection between API Security and Data Handling. No new files, no skill rewrites, no cross-reference churn.

@OktayCopurlu
research: add Sec-Fetch-Site CSRF protection to security-checklist
46e550b 
Token-based CSRF is now legacy: browsers have sent Sec-Fetch-Site on
every request since Safari 16.4 (2023), and Go 1.25 promoted this
pattern to stdlib via net/http.CrossOriginProtection (Aug 2025).
Adds a new CSRF subsection with 7 checklist items covering safe-method
bypass, Sec-Fetch-Site enforcement, Origin fallback, and SameSite
as defense-in-depth.

Sources:
- https://words.filippo.io/csrf/ (Filippo Valsorda, Aug 2025)
- https://pkg.go.dev/net/http#CrossOriginProtection (Go 1.25 stdlib)
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Site
- https://web.dev/articles/fetch-metadata
- simonw/datasette#2689 (Datasette adoption, Apr 2026)
@OktayCopurlu OktayCopurlu force-pushed the research/csrf-sec-fetch-site-checklist branch from bdc0909 to 46e550b Compare May 2, 2026 23:48
@OktayCopurlu OktayCopurlu deleted the research/csrf-sec-fetch-site-checklist branch May 3, 2026 08:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@OktayCopurlu