csrf-protection-demo: demonstrate modern CSRF defenses using Sec-Fetch-Site headers

[simonw]

Clone https://gist.github.com/b7fb3dcc34571f3568d7f67f1ebe31aa.git to /tmp and read both markdown files

Then create a demo app in FastAPI python which can be used to test these approaches

Run “uvx rodney –help” to learn about the rodney tool. Start two dev servers and ensure foo.localhost and bar.localhost can be used to access then via HTTP so you can test cross-domain requests

Run “uvx showboat –help” to learn snowboat, then start the README.md file as a showboat document

Your goal is to concousivelt demonstrate the new techniques used for CSRF protection described in the gist articles - and also demonstrate how CSRF attacks work without them but fail if those measure are in place - using snowboat and Rodney and your own demo servers

The end result should both teach people about CSRF and then explain the new measures in derail and demonstrate them working

Interactive demo showing how modern browsers provide Sec-Fetch-Site and Origin
headers that let servers reject cross-origin requests without CSRF tokens.
Includes a vulnerable bank app, an attacker site, and a protected endpoint
implementing Filippo Valsorda's recommended algorithm (as used in Go 1.25).
Built with FastAPI, rodney (browser automation), and showboat (executable docs).

https://claude.ai/code/session_01SBdyDC8RLnYayfQYKbCrqx