Dead simple CSRF security middleware for Starlette ⭐ and Fast API ⚡

  • Will work with either a <input type="hidden"> field or ajax request headers, interchangeably.
  • Uses stateless Double Submit Cookie method, like Django.
  • Tiny, easy to audit.


Add csrf_middleware.py to your project /middleware folder.

Add to Starlette

from starlette.applications import Starlette
from starlette.middleware import Middleware
from middleware.csrf_middleware import CSRFMiddleware

routes = ...

middleware = [

app = Starlette(routes=routes, middleware=middleware)

Add to FastAPI

from fastapi import FastAPI
from middleware.csrf_middleware import CSRFMiddleware

app = FastAPI()


  • Use directly in HTML.
  • Pass request.state.csrftoken to your template engine.
  • <input type="hidden" name="csrftoken" value="{{ csrftoken }}" />
  • Use javascript / ajax frameworks such as the elegant htmx ♥️
  • Before your ajax call, set your headers.
  • Most frameworks: headers: { 'csrftoken': '{{ csrftoken }}' }
  • XMLHttpRequest.setRequestHeader()
  • Another htmx ♥️ solution.
  • <body hx-headers='{"csrftoken": "{{ csrftoken }}"}'>


To make available something more simple and auditable than the typical libraries for this as of 2022:

Do I need CSRF Middleware?

Maybe? Maybe not?

GitHub - gnat/csrf-starlette-fastapi at pythonawesome.com
Dead simple CSRF security middleware for Starlette ⭐ and Fast API ⚡ - GitHub - gnat/csrf-starlette-fastapi at pythonawesome.com