https://macworks.dev/tags/ai/Recent content in Ai on MacWorksHugoenhttps://macworks.dev/docs/today/simonwillison-2026-04-14/Mon, 01 Jan 0001 00:00:00 +0000https://macworks.dev/docs/today/simonwillison-2026-04-14/<h1 id="simon-willison--2026-04-14">Simon Willison — 2026-04-14<a class="anchor" href="#simon-willison--2026-04-14">#</a></h1> <h2 id="highlight">Highlight<a class="anchor" href="#highlight">#</a></h2> <p>Simon highlights a fascinating paradigm shift in AI security: treating vulnerability discovery as an economic &ldquo;proof of work&rdquo; equation where spending more tokens yields better hardening. This creates a compelling new argument for the enduring value of open-source libraries in the age of vibe-coding, as the massive cost of AI security reviews can be shared across all of a project&rsquo;s users.</p> <h2 id="posts">Posts<a class="anchor" href="#posts">#</a></h2> <p><strong>[datasette PR #2689: Replace token-based CSRF with Sec-Fetch-Site header protection]</strong> · <a href="https://simonwillison.net/2026/Apr/14/replace-token-based-csrf/#atom-everything">Source</a> Simon has replaced Datasette&rsquo;s cumbersome token-based CSRF protection with a new middleware relying on the <code>Sec-Fetch-Site</code> header, inspired by Filippo Valsorda&rsquo;s research and recent changes in Go 1.25. This modern approach eliminates the need to scatter hidden CSRF token inputs throughout templates or selectively disable protection for external APIs. Interestingly, while Claude Code handled the bulk of the commits under Simon&rsquo;s guidance with cross-review by GPT-5.4, Simon chose to hand-write the PR description himself as an exercise in conciseness and keeping himself honest.</p>