starlette-csrf

Bump version 2.0.0 → 3.0.0

Breaking changes

• Drop Python 3.7 support

Bump version 1.4.5 → 2.0.0

Breaking changes

• Initializer arguments other than app and secret are now keyword-only.
  • This shouldn't affect you if you add the middleware normally using Starlette's Middleware or FastAPI's .add_middleware.

New features

• Add a required_urls argument to set route patterns where CSRF should always be enforced, no matter the method or cookies present.
  • Useful to prevent attacks like Login CSRF.
  • Thanks @bkis for the idea and feedback

Bump version 1.4.4 → 1.4.5

Improvements

• Bump starlette >=0.14.2
• Use Hatch for package management

Improvements

• Rewrite as a pure ASGI middleware, without BaseHTTPMiddleware as it's now deprecated.
• Bump dependencies:
  • starlette >=0.14.2,<0.21.0

Bug fixes and improvements

• Bump dependencies:
  • starlette >=0.14.2,<0.20.0
  • itsdangerous >=2.0.1,<3.0.0

Fixes and improvements

• Put submitted CSRF token retrieval logic in a separate method _get_submitted_csrf_token for easier overloading.

Bug fixes and improvements

• Bump dependencies:
  • starlette >=0.14.2,<0.19.0

New features

• The error response logic is now in its own separate method to ease overloading in case you need a custom error response. [Documentation]

Improvements

• Bump packages:
  • starlette >=0.14.2,<0.18.0

New features

• Allow to exempt some routes from CSRF protection following Regex patterns. Thanks @lsapan 🎉

Improvements

• Bump packages:
  • starlette >=0.14.2,<0.17.0
  • itsdangerous ==2.0.1