[wp-trac] [WordPress Trac] #64481: Explore Sec-Fetch Headers as a Core-Supported CSRF Mitigation Mechanism
WordPress Trac
noreply at wordpress.org
Thu Jan 8 16:19:53 UTC 2026
#64481: Explore Sec-Fetch Headers as a Core-Supported CSRF Mitigation Mechanism
-------------------------+------------------------------
Reporter: nickchomey | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
-------------------------+------------------------------
Comment (by nickchomey):
Apologies, there was a formatting error in the references above. Too late
to edit it.
(1) [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-
Site MDN: Sec-Fetch-Site]
(2) [https://cheatsheetseries.owasp.org/cheatsheets/Cross-
Site_Request_Forgery_Prevention_Cheat_Sheet.html#fetch-metadata-headers
OWASP CSRF Prevention Cheat Sheet]
(3) [https://caniuse.com/mdn-http_headers_sec-fetch-site Can I use: Sec-
Fetch-Site browser coverage]
(4) [https://github.com/golang/go/issues/73626 Go standard library (Cross-
Origin Protection, released in v1.25)]
[https://github.com/rails/rails/pull/56350 Rails `protect_from_forgery`
(planned for v8.2)]
[https://github.com/django/new-features/issues/98 Django (Fetch Metadata
discussion)]
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64481#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list