Ryan Hamamura b7acfa6302 feat: add automatic CSRF protection for action calls ...

Generate a per-context CSRF token (128-bit, crypto/rand) and inject it
as a Datastar signal (via-csrf) alongside via-ctx. Validate with
constant-time comparison on /_action/{id} before executing, returning
403 on mismatch. Transparent to users since Datastar sends all signals
automatically.

Closes #9

2026-02-06 11:17:41 -10:00

18 KiB

Raw Blame History

View Raw