Skip to content

Add Sec-Fetch-Site action filter#18641

Open
timkelty wants to merge 3 commits into4.xfrom
feature/sec-fetch-site-filter
Open

Add Sec-Fetch-Site action filter#18641
timkelty wants to merge 3 commits into4.xfrom
feature/sec-fetch-site-filter

Conversation

@timkelty
Copy link
Copy Markdown
Contributor

@timkelty timkelty commented Mar 29, 2026
edited
Loading

Summary

Adds a Sec-Fetch-Site action filter for opt-in CSRF replacement.

Usage

config/app.web.php

'as secFetchSite' => [
    'class' => craft\filters\SecFetchSiteFilter::class,

    // require a valid Sec-Fetch-Site header (no CSRF token fallback)
    'strict' => true,

    // allow same-site (subdomain) requests in addition to same-origin
    'allowSameSite' => false,

    'except' => [
        'graphql/*',
        'webhooks/*',
    ],
],
'as secFetchSite' => [
    'class' => craft\filters\SecFetchSiteFilter::class,

    // allow fallback to CSRF token validation when the header is missing/invalid
    'strict' => false,

    // allow same-site (subdomain) requests in addition to same-origin
    'allowSameSite' => true,
],

Links

@timkelty timkelty changed the base branch from 5.x to 4.x March 29, 2026 10:42
@linear
Copy link
Copy Markdown

linear bot commented Mar 29, 2026

CMS-1931 Support`Sec-Fetch-Site` header

@timkelty timkelty marked this pull request as ready for review March 29, 2026 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@timkelty