{"library":"starlette-csrf","title":"Starlette CSRF Middleware","type":"library","description":"Starlette-CSRF is an active Python middleware designed for Starlette and FastAPI applications to mitigate Cross-Site Request Forgery (CSRF) attacks. It implements the Double Submit Cookie technique, providing protection by requiring a secret value to be sent in both a cookie and a request header for unsafe HTTP methods. The library is currently at version 3.0.0 and maintains a steady release cadence, with the latest major update focusing on Python version compatibility and argument handling.","language":"python","status":"active","last_verified":"Thu Apr 16","install":{"commands":["pip install starlette-csrf"],"cli":null},"imports":["from starlette_csrf import CSRFMiddleware"],"auth":{"required":false,"env_vars":[]},"links":{"homepage":null,"github":"https://github.com/frankie567/starlette-csrf","docs":"https://github.com/frankie567/starlette-csrf","changelog":null,"pypi":"https://pypi.org/project/starlette-csrf/","npm":null,"openapi_spec":null,"status_page":null,"smithery":null},"quickstart":{"code":"import os\nimport uvicorn\nfrom fastapi import FastAPI, Request, Response, Form\nfrom starlette.middleware import Middleware\nfrom starlette.routing import Route\nfrom starlette.responses import HTMLResponse\nfrom starlette_csrf import CSRFMiddleware\n\n# Ensure you have a strong secret key\nSECRET_KEY = os.environ.get('STARLETTE_CSRF_SECRET', 'a-very-secret-key-that-you-should-change-in-production')\n\napp = FastAPI(\n    middleware=[\n        Middleware(CSRFMiddleware, secret=SECRET_KEY)\n    ]\n)\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def read_root(request: Request):\n    # The CSRF token is automatically set in a cookie on GET requests\n    # and can be accessed via request.state.csrftoken for templates.\n    # In a real application, you'd embed this in your HTML forms.\n    token = request.state.csrftoken if hasattr(request.state, 'csrftoken') else 'No token (GET request initial load)'\n    return f'''\n    <html>\n        <head>\n            <title>CSRF Test</title>\n        </head>\n        <body>\n            <h1>Welcome!</h1>\n            <p>CSRF Token in state (for display only): {token}</p>\n            <form method=\"post\" action=\"/submit\">\n                <input type=\"text\" name=\"item\" placeholder=\"Enter item\">\n                <!-- In a real frontend, you'd get this from a cookie or initial GET response -->\n                <input type=\"hidden\" name=\"x-csrftoken\" value=\"{{request.state.csrftoken}}\">\n                <button type=\"submit\">Submit</button>\n            </form>\n            <script>\n                // For AJAX requests, you'd extract the csrftoken cookie and send it in the header\n                // Example (conceptual, requires frontend JS to read cookie):\n                // const csrfToken = document.cookie.split('; ').find(row => row.startsWith('csrftoken=')).split('=')[1];\n                // fetch('/submit', {\n                //     method: 'POST',\n                //     headers: {\n                //         'Content-Type': 'application/x-www-form-urlencoded',\n                //         'x-csrftoken': csrfToken\n                //     },\n                //     body: 'item=ajax_test'\n                // });\n            </script>\n        </body>\n    </html>\n    '''\n\n@app.post(\"/submit\")\nasync def submit_item(item: str = Form(...), response: Response = None):\n    # The middleware automatically validates the token from the 'x-csrftoken' header\n    # If validation fails, it returns a 403 Forbidden before this handler is called.\n    return {\"message\": f\"Item '{item}' received successfully!\"}\n\nif __name__ == \"__main__\":\n    # To run: uvicorn your_app_file_name:app --reload\n    # Then open http://127.0.0.1:8000\n    uvicorn.run(app, host=\"127.0.0.1\", port=8000)\n","lang":"python","description":"This quickstart demonstrates how to integrate `CSRFMiddleware` into a FastAPI application. A `GET` request will automatically receive a `csrftoken` cookie and expose the token in `request.state.csrftoken`. For `POST` requests, the client is expected to include this token in an `x-csrftoken` header for successful validation. The example shows how to embed this in an HTML form.","tag":null,"tag_description":null,"last_tested":null,"results":[]},"compatibility":null}