New Features

• A sec_fetch_site_csrf plugin has been implemented, which implements CSRF protection using the Sec-Fetch-Site header. This offers weaker CSRF protection than the route_csrf plugin, but doesn’t require CSRF tokens in forms. Other caveats when using the plugin:

  • Not all browsers set the Sec-Fetch-Site header. Some popular browsers did not add support until 2023.

  • Sec-Fetch-Site is only set on HTTPS requests, not on HTTP requests, so if you need to support HTTP requests, you cannot rely on it.

  • There is no support for cross-site secure CSRF protection by sharing the token used.

  Like the route_csrf plugin, the sec_fetch_site_csrf plugin exposes a method (check_sec_fetch_site!) that you can call at the appropriate point in your routing tree to enforce the CSRF protection.

  By default, only same-origin requests are allowed by default. Using plugin options, you can support same-site or none requests, or support requests where the header is not present.

  For CSRF violations, the default is to raise an exception. You can use plugin options to either return a blank 403 page or clear the current session. You can also pass a block to either the plugin or to the check_sec_fetch_site! method for custom handling.