{"id":18920961,"url":"https://github.com/gnat/csrf-starlette-fastapi","last_synced_at":"2025-04-15T11:31:32.424Z","repository":{"id":37398880,"uuid":"453263492","full_name":"gnat/csrf-starlette-fastapi","owner":"gnat","description":"Dead simple CSRF security middleware for Starlette ⭐ and FastAPI ⚡","archived":false,"fork":false,"pushed_at":"2024-03-27T18:33:41.000Z","size":27,"stargazers_count":29,"open_issues_count":0,"forks_count":3,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-28T20:37:25.271Z","etag":null,"topics":["async","csrf","fastapi","htmx","hyperscript","python","security","starlette","web"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gnat.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-01-29T01:09:30.000Z","updated_at":"2025-01-19T11:32:45.000Z","dependencies_parsed_at":"2024-11-08T10:48:47.264Z","dependency_job_id":"91b16a01-b108-45cc-a268-623c6e899198","html_url":"https://github.com/gnat/csrf-starlette-fastapi","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gnat%2Fcsrf-starlette-fastapi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gnat%2Fcsrf-starlette-fastapi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gnat%2Fcsrf-starlette-fastapi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gnat%2Fcsrf-starlette-fastapi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gnat","download_url":"https://codeload.github.com/gnat/csrf-starlette-fastapi/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249061027,"owners_count":21206439,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["async","csrf","fastapi","htmx","hyperscript","python","security","starlette","web"],"created_at":"2024-11-08T10:44:55.106Z","updated_at":"2025-04-15T11:31:32.089Z","avatar_url":"https://github.com/gnat.png","language":"Python","readme":"# Why you may not need a CSRF Middleware in 2022\n\nRecent cookie enhancements can solve CSRF for you:\n\n1. Set one cookie to \"lax\", set one cookie to \"strict\".\n2. Check for the \"strict\" cookie whenever there's a database write (or other sensitive action).\n\nThe \"strict\" cookie will not exist in situations where CSRF will be a threat.\n\n### References\n\n* https://scotthelme.co.uk/csrf-is-dead/\n* https://scotthelme.co.uk/csrf-is-really-dead/\n* https://simonwillison.net/2021/Aug/3/samesite/\n* Discussion: https://github.com/encode/starlette/discussions/1411\n\n### Thanks for coming. 🤔 However if you still wish to use a middleware for some reason, please continue!\n\n# csrf-starlette-fastapi\nDead simple CSRF security middleware for Starlette ⭐ and Fast API ⚡\n\n* Will work with either a `\u003cinput type=\"hidden\"\u003e` field or ajax request headers, interchangeably.\n* Uses stateless [Double Submit Cookie](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie) method, like Django.\n* Tiny, easy to audit.\n\n### Install\n\nAdd `csrf_middleware.py` to your project `/middleware` folder.\n\n### Add to Starlette\n\n```py\nfrom starlette.applications import Starlette\nfrom starlette.middleware import Middleware\nfrom middleware.csrf_middleware import CSRFMiddleware\n\nroutes = ...\n\nmiddleware = [\n    Middleware(CSRFMiddleware)\n]\n\napp = Starlette(routes=routes, middleware=middleware)\n```\n### Add to FastAPI\n\n```py\nfrom fastapi import FastAPI\nfrom middleware.csrf_middleware import CSRFMiddleware\n\napp = FastAPI()\napp.add_middleware(CSRFMiddleware)\n```\n### Usage\n* Directly with HTML.\n  * Pass `request.state.csrftoken` to your [template engine](https://www.starlette.io/templates/).\n  * `\u003cinput type=\"hidden\" name=\"csrftoken\" value=\"{{ csrftoken }}\" /\u003e`\n* Using [htmx](https://htmx.org/) ♥️: `\u003cbody hx-headers='{\"csrftoken\": \"{{ csrftoken }}\"}'\u003e`\n* Using Javascript frameworks: `headers: { 'csrftoken': '{{ csrftoken }}' }`\n    * [XMLHttpRequest.setRequestHeader()](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/setRequestHeader)\n\n### Why?\n\nTo make available something more simple and auditable than the typical libraries for this as of 2022:\n* https://github.com/simonw/asgi-csrf\n* https://github.com/frankie567/starlette-csrf\n* https://github.com/piccolo-orm/piccolo_api/blob/master/piccolo_api/csrf/middleware.py \n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgnat%2Fcsrf-starlette-fastapi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgnat%2Fcsrf-starlette-fastapi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgnat%2Fcsrf-starlette-fastapi/lists"}