the summary of CORS, CRSF, and various attack vectors in the motivations section of this proposal is really really good (and very worth reading if you're like me and have been meaning to form a more principled understanding of the problem space!)
Reposted from
Filippo Valsorda
In which I survey CSRF countermeasures and existing Go libraries and propose we add CrossOriginForgeryHandler to net/http to solve this once and for all.
Turns out there is no need for tokens or keys in 2025! Browsers just send a This-Is-CSRF header now. (Sort of.)
https://github.com/golang/go/iss
Turns out there is no need for tokens or keys in 2025! Browsers just send a This-Is-CSRF header now. (Sort of.)
https://github.com/golang/go/iss
Comments
Not sure if that's just where the bar is for this library or if it's more of a "Filippo is just that good" sort of thing but cool either way :)