diff --git a/README.md b/README.md
index 4a48019f..d7e3c1f8 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,7 @@ Datasette is aimed at data journalists, museum curators, archivists, local gover
 
 ## News
 
+ * 9th August 2020: [Datasette 0.46](http://datasette.readthedocs.io/en/latest/changelog.html#v0-46) - security fix relating to CSRF protection for writable canned queries, a new logo, new debugging tools, improved file downloads and more.
  * 6th August 2020: [GraphQL in Datasette with the new datasette-graphql plugin](https://simonwillison.net/2020/Aug/7/datasette-graphql/)
  * 24th July 2020: Two new plugins: [datasette-copyable and datasette-insert-api](https://simonwillison.net/2020/Jul/23/datasette-copyable-datasette-insert-api/). `datasette-copyable` adds copy-and-paste export options, and `datasette-insert-api` lets you create tables and insert or update data by POSTing JSON directly to Datasette.
  * 1st July 2020: [Datasette 0.45](http://datasette.readthedocs.io/en/latest/changelog.html#v0-45) - [Magic parameters for canned queries](https://datasette.readthedocs.io/en/latest/sql_queries.html#canned-queries-magic-parameters), a log out feature, improved plugin documentation and four new plugin hooks. See also [Datasette 0.45: The annotated release notes](https://simonwillison.net/2020/Jul/1/datasette-045/).
diff --git a/docs/changelog.rst b/docs/changelog.rst
index 62a6350a..57ef5be0 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -4,6 +4,29 @@
 Changelog
 =========
 
+.. _v0_46:
+
+0.46 (2020-08-09)
+-----------------
+
+.. warning::
+    This release contains a security fix related to authenticated writable canned queries. If you are using this feature you should upgrade as soon as possible.
+
+- **Security fix:** CSRF tokens were incorrectly included in read-only canned query forms, which could allow them to be leaked to a sophisticated attacker. See `issue xxx <>`__ for details.
+- Datasette now supports GraphQL via the new `datasette-graphql <https://github.com/simonw/datasette-graphql>`__ plugin - see `GraphQL in Datasette with the new datasette-graphql plugin <https://simonwillison.net/2020/Aug/7/datasette-graphql/>`__.
+- Principle git branch has been renamed from ``main`` to ``master``. (`#849 <https://github.com/simonw/datasette/issues/849>`__)
+- New debugging tool: ``/-/allow-debug tool`` (`demo here <https://latest.datasette.io/-/allow-debug>`__) helps test allow blocks against actors, as described in :ref:`authentication_permissions_allow`. (`#908 <https://github.com/simonw/datasette/issues/908>`__)
+- New logo for the documentation, and a new project tagline: "An open source multi-tool for exploring and publishing data".
+- Whitespace in column values is now respected on display, using ``white-space: pre-wrap``. (`#896 <https://github.com/simonw/datasette/issues/896>`__)
+- New ``await request.post_body()`` method for accessing the raw POST body, see :ref:`internals_request`. (`#897 <https://github.com/simonw/datasette/issues/897>`__)
+- Database file downloads now include a ``content-length`` HTTP header, enabling download progress bars. (`#905 <https://github.com/simonw/datasette/issues/905>`__)
+- File downloads now also correctly set the suggested file name using a ``content-disposition`` HTTP header. (`#909 <https://github.com/simonw/datasette/issues/909>`__)
+- ``tests`` are now excluded from the Datasette package properly - thanks, abeyerpath. (`#456 <https://github.com/simonw/datasette/issues/456>`__)
+- The Datasette package published to PyPI now includes ``sdist`` as well as ``bdist_wheel``.
+- Better titles for canned query pages. (`#887 <https://github.com/simonw/datasette/issues/887>`__)
+- Now only loads Python files from a directory passed using the ``--plugins-dir`` option - thanks, Amjith Ramanujam. (`#890 <https://github.com/simonw/datasette/pull/890>`__)
+- New documentation section on :ref:`publish_vercel`.
+
 .. _v0_45:
 
 0.45 (2020-07-01)