{"id":20948,"library":"asgi-csrf","title":"asgi-csrf","description":"ASGI middleware for protecting against CSRF attacks. Current version 0.11. Release cadence is irregular, last release 2023-02-06.","status":"active","version":"0.11","language":"python","source_language":"en","source_url":"https://github.com/simonw/asgi-csrf","tags":["asgi","csrf","middleware","security"],"install":[{"cmd":"pip install asgi-csrf","lang":"bash","label":"latest"}],"dependencies":[{"reason":"Used for signing CSRF tokens","package":"itsdangerous","optional":false},{"reason":"ASGI utilities","package":"asgiref","optional":false}],"imports":[{"note":"Wrong class name","wrong":"from asgi_csrf import CsrfMiddleware","symbol":"ASGICSRFMiddleware","correct":"from asgi_csrf import ASGICSRFMiddleware"},{"note":"Wrong module name","wrong":"import asgi_csrf_middleware","symbol":"asgi_csrf","correct":"import asgi_csrf"}],"quickstart":{"code":"from asgi_csrf import ASGICSRFMiddleware\nfrom starlette.applications import Starlette\nfrom starlette.responses import PlainTextResponse\n\napp = Starlette()\n\n@app.route('/protected')\nasync def protected(request):\n    return PlainTextResponse('OK')\n\napp = ASGICSRFMiddleware(app, secret='my-secret')","lang":"python","description":"Wrap any ASGI app with CSRF protection. Secret must be set."},"warnings":[{"fix":"Update to 0.11 and ensure build tooling supports PEP 621.","message":"Version 0.11 switched from setup.py to pyproject.toml. If you depend on old build system, this may break.","severity":"breaking","affected_versions":"<0.11"},{"fix":"Add always_set_cookie=True to middleware initialization.","message":"If you do not get a CSRF token cookie set, check that your response contains a form with a CSRF hidden input, or set always_set_cookie=True.","severity":"gotcha","affected_versions":"all"},{"fix":"Do not rely on CSRF protection for Bearer token endpoints.","message":"Requests with an Authorization: Bearer header are NOT subject to CSRF checks. This is by design but can be a footgun if you expect CSRF for API endpoints using Bearer tokens.","severity":"gotcha","affected_versions":">=0.6"},{"fix":"Use send_csrf_failed callback instead of custom exception handling.","message":"The send_csrf_failed argument (custom error page) is available since 0.10. No deprecation yet, but old pattern of catching errors may break.","severity":"deprecated","affected_versions":"<0.10"}],"env_vars":null,"last_verified":"2026-04-27T00:00:00.000Z","next_check":"2026-07-26T00:00:00.000Z","problems":[{"fix":"Use 'from asgi_csrf import ASGICSRFMiddleware'.","cause":"Wrong class name used when importing.","error":"ImportError: cannot import name 'CsrfMiddleware' from 'asgi_csrf'"},{"fix":"Pass a secret string: ASGICSRFMiddleware(app, secret='your-secret').","cause":"Missing secret parameter when creating middleware.","error":"RuntimeError: No secret provided"}],"ecosystem":"pypi","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}