frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

CSRF protection without tokens or hidden form fields

https://blog.miguelgrinberg.com/post/csrf-protection-without-tokens-or-hidden-form-fields
70•adevilinyc•2d ago

Comments

owenthejumper•1h ago
Right now the problem is what the author already mentions - the use of Sec-Fetch-Site (FYI, HTTP headers are case insensitive :) - is considered defense in depth in OWASP right now, not a primary protection.

Unfortunately OWASP rules the world. Not because it's the best way to protect your apps, but because the corporate overloads in infosec teams need to check the box with "Complies with OWASP Top 10"

miguelgrinberg•1h ago
Hi, author here.

This was actually a mistake. If you look at the OWASP cheat sheet today you will see that Fetch Metadata is a top-level alternative to the traditional token-based protection.

I'm not sure I understand why, but the cheat sheet page was modified twice. First it entered the page with a top-level mention. Then someone slipped a revision that downgraded it to defense in depth without anyone noticing. It has now been reverted back to the original version.

Some details on what happened are in this other discussion from a couple of days ago: https://news.ycombinator.com/item?id=46347280.

tmsbrg•1h ago
I'm surprised there's no mention of the SameSite cookie attribute, I'd consider that to be the modern CSRF protection and it's easy, just a cookie flag:

https://scotthelme.co.uk/csrf-is-dead/

But I didn't know about the Sec-Fetch-Site header, good to know.

miguelgrinberg•1h ago
The OWASP CSRF prevention cheat sheet page does mention SameSite cookies, but they consider it defense in depth: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Re....
shermantanktop•53m ago
Am I missing something? The suggested protection helps with XSS flavors of CSRF but not crafted payloads that come from scripts which have freedom to fake all headers. At that point you also need an oauth/jwt type cookie passed over a private channel (TLS) to trust the input. Which is true for any sane web app, but still…
varenc•41m ago
If an attacker has a user's private authentication token, usually stored in a __Host prefixed cookie, then it's game over anyway. CSRF is about protecting other sites forcing a user to make a request to a site they're authenticated to, when the malicious doesn't actually have the cookie/token.

CSRF is when you don't have the authentication token, but can force a user to make a request of your choosing that includes it.

rvnx•5m ago
If you want, “SameSite=Strict” may also be helpful and is supported on “all” browsers so it is reasonable to use it (but like you did, adding server validation is always a +).

https://caniuse.com/mdn-http_headers_set-cookie_samesite_str...

This checks Scheme, Port and Origin to decide whether the request should be allowed or not.

altmind•3m ago
Are there any approaches to csrf tokens that don't require storing issued tokens on server-side?

Phoenix: A modern X server written from scratch in Zig

https://git.dec05eba.com/phoenix/about/
145•snvzz•1h ago•49 comments

Tell HN: Merry Christmas

293•basilikum•1h ago•92 comments

Who Watches the Waymos? I do [video]

https://www.youtube.com/watch?v=oYU2hAbx_Fc
11•notgloating•31m ago•0 comments

Show HN: Minimalist editor that lives in browser, stores everything in the URL

https://github.com/antonmedv/textarea
219•medv•4h ago•79 comments

CSRF protection without tokens or hidden form fields

https://blog.miguelgrinberg.com/post/csrf-protection-without-tokens-or-hidden-form-fields
70•adevilinyc•2d ago•8 comments

Fabrice Bellard: Biography (2009) [pdf]

https://www.ipaidia.gr/wp-content/uploads/2020/12/117-2020-fabrice-bellard.pdf
179•lioeters•6h ago•48 comments

Microsoft please get your tab to autocomplete shit together

https://ivanca.github.io/programming/2025/11/26/microsoft-pls-get-your-tab-to-autocomplete-shit-t...
42•AmbroseBierce•1h ago•11 comments

Research team digitizes more than 100 years of Canadian infectious disease data

https://news.mcmaster.ca/mcmaster-research-team-digitizes-more-than-100-years-of-canadian-infecti...
36•XzetaU8•5d ago•1 comments

Asterisk AI Voice Agent

https://github.com/hkjarral/Asterisk-AI-Voice-Agent
13•akrulino•1h ago•0 comments

Show HN: Vibium – Browser automation for AI and humans, by Selenium's creator

https://github.com/VibiumDev/vibium
206•hugs•6h ago•71 comments

Comptime – C# meta-programming with compile-time code generation and evaluation

https://github.com/sebastienros/comptime
30•bj-rn•4d ago•4 comments

Nvidia buying AI chip startup Groq for about $20B in cash

https://www.cnbc.com/2025/12/24/nvidia-buying-ai-chip-startup-groq-for-about-20-billion-biggest-d...
301•nickrubin•3h ago•196 comments

Keystone (YC S25) is hiring engineer #1 to automate coding

https://www.ycombinator.com/companies/keystone/jobs/J3t9XeM-founding-engineer
1•pablo24602•3h ago

Qntm's Power Tower Toy

https://qntm.org/files/knuth/knuth.html
45•ravenical•4d ago•15 comments

When Compilers Surprise You

https://xania.org/202512/24-cunning-clang
197•brewmarche•11h ago•94 comments

How GNU Guile is 10x better (2021)

https://www.draketo.de/software/guile-10x
62•Tomte•3d ago•2 comments

Online Book: Exploring Mathematics with Python

https://coe.psu.ac.th/ad/explore/
12•Andrew2565•5d ago•0 comments

The dawn of a world simulator

https://odyssey.ml/the-dawn-of-a-world-simulator
29•olivercameron•4d ago•5 comments

Fabrice Bellard Releases MicroQuickJS

https://github.com/bellard/mquickjs/blob/main/README.md
1350•Aissen•1d ago•512 comments

How I Left YouTube

https://zhach.news/how-i-left-youtube/
43•dhashe•2h ago•61 comments

Confessions to a Data Lake

https://confer.to/blog/2025/12/confessions-to-a-data-lake/
16•kkl•1d ago•5 comments

A faster path to container images in Bazel

https://www.tweag.io/blog/2025-12-18-rules_img/
57•malt3•6d ago•29 comments

Jingle Bells (Batman Smells): An incomplete festive folk-rhyme taxonomy

https://loreandordure.com/2025/12/16/jingle-bells/
54•helsinkiandrew•3d ago•15 comments

The port I couldn't ship

https://ammil.industries/the-port-i-couldnt-ship/
88•cjlm•6d ago•49 comments

Spaced repetition for efficient learning (2019)

https://gwern.net/spaced-repetition
80•tsenturk•3h ago•28 comments

I'm returning my Framework 16

https://yorickpeterse.com/articles/im-returning-my-framework-16/
142•YorickPeterse•11h ago•246 comments

Show HN: A local-first, reversible PII scrubber for AI workflows

https://medium.com/@tj.ruesch/a-local-first-reversible-pii-scrubber-for-ai-workflows-using-onnx-a...
16•tjruesch•7h ago•0 comments

The e-scooter isn't new – London was zooming around on Autopeds a century ago

https://www.ianvisits.co.uk/articles/the-e-scooter-isnt-new-london-was-zooming-around-on-autopeds...
144•zeristor•16h ago•106 comments

My 2026 Open Social Web Predictions

https://www.timothychambers.net/2025/12/23/my-open-social-web-predictions.html
76•todsacerdoti•8h ago•71 comments

Quake's Player Speed (2017)

https://rome.ro/quakes-player-speed-1
52•klaussilveira•1d ago•14 comments