https://github.com/golang/go/issues/73626
https://developer.mozilla.org/en-US/docs/Web/Security/Attack...
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...
https://web.dev/articles/fetch-metadata
https://appliedgo.net/spotlight/csrf-dont-mess-with-my-site/
And some older ones that focused on Origin header rather than sec-fetch-*
https://www.sjoerdlangkemper.nl/2019/02/27/prevent-csrf-with...
https://www.brandur.org/fragments/origin
https://srungta.github.io/blog/start-right/ui-nonce
https://github.com/golang/go/issues/73626
https://developer.mozilla.org/en-US/docs/Web/Security/Attack...
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...
https://web.dev/articles/fetch-metadata
https://appliedgo.net/spotlight/csrf-dont-mess-with-my-site/
And some older ones that focused on Origin header rather than sec-fetch-*
https://www.sjoerdlangkemper.nl/2019/02/27/prevent-csrf-with...
https://www.brandur.org/fragments/origin
https://srungta.github.io/blog/start-right/ui-nonce