Log #0048

suggest an edit

It’s possible to protect against CSRF attack without traditional hidden input fields with tokens. Header Sec-Fetch-Site is sent by browsers with every request since 2023. This header should be read by server that can act according to its value. For example, reject requests that are not same-origin.