Roman VeselyIt’s possible to protect against CSRF attack without traditional hidden input fields with tokens. Header `Sec-Fetch-Site` is sent by browsers with every request since 2023. This header should be read by server that can act according to its value. For example, reject requests that are not `same-origin`.