Yeah... #deadsocial is 100% vulnerable to #csrf https://simonwillison.net/2021/Aug/3/sam.. I have a better solution for this problem though, where every requested page whilst logged in also sends a #random #token per #form that needs to be sent back with the #user #session #cookie . The reason for not using #http #headers is that not *every* browser supports them.