Skip to content
PoC ASGI middleware implementation of the Fetch Metadata specification
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Proof-of-concept ASGI middleware implementation of the Fetch Metadata specification for Python 3.6+.

The Fetch Metadata spec allows a server to reject a cross-origin request to protect clients from CSRF, XSSI and other bugs.

Important: this repo was created following a talk by Lukas Weichselbaum at PyConWeb 2019. It is NOT an official nor audited implementation of the Fetch-Metadata specification in any way. Feel free to fork it, copy-paste the code, or hack it away!

For more information:


HTTP header parsing is provided by Starlette:

pip install starlette


This middleware should be usable with any ASGI3-compliant application.

An example "Hello, World!" ASGI app wrapped by the FetchMetadataMiddleware is provided in

from fetch_metadata import FetchMetadataMiddleware
from starlette.responses import PlainTextResponse

async def app(scope, receive, send):
    assert scope["type"] == "http"
    response = PlainTextResponse("Hello, world!")
    await response(scope, receive, send)

app = FetchMetadataMiddleware(app)

Serve it using uvicorn or any other ASGI web server:

uvicorn example:app

Example allowed requests:

curl http://localhost:8000
curl http://localhost:8000 -H "Sec-Fetch-Site: cross-origin" -H "Sec-Fetch-Mode: navigate"
curl http://localhost:8000 -H "Sec-Fetch-Site: same-site"

Example disallowed requests:

curl http://localhost:8000 -H "Sec-Fetch-Site: cross-origin" -H "Sec-Fetch-Mode: cors"
You can’t perform that action at this time.