1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
.. currentmodule:: flask_wtf.csrf
.. _csrf:
CSRF Protection
===============
Any view using :class:`~flask_wtf.FlaskForm` to process the request is already
getting CSRF protection. If you have views that don't use ``FlaskForm`` or make
AJAX requests, use the provided CSRF extension to protect those requests as
well.
Setup
-----
To enable CSRF protection globally for a Flask app, register the
:class:`CSRFProtect` extension. ::
from flask_wtf.csrf import CSRFProtect
csrf = CSRFProtect(app)
Like other Flask extensions, you can apply it lazily::
csrf = CSRFProtect()
def create_app():
app = Flask(__name__)
csrf.init_app(app)
.. note::
CSRF protection requires a secret key to securely sign the token. By default
this will use the Flask app's ``SECRET_KEY``. If you'd like to use a
separate token you can set ``WTF_CSRF_SECRET_KEY``.
.. warning::
Make sure your webserver cache policy wont't interfere with the CSRF protection.
If pages are cached longer than the ``WTF_CSRF_TIME_LIMIT`` value, then user browsers
may serve cached page including expired CSRF token, resulting in random *Invalid*
or *Expired* CSRF errors.
HTML Forms
----------
When using a ``FlaskForm``, render the form's CSRF field like normal.
.. sourcecode:: html+jinja
<form method="post">
{{ form.csrf_token }}
</form>
If the template doesn't use a ``FlaskForm``, render a hidden input with the
token in the form.
.. sourcecode:: html+jinja
<form method="post">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
</form>
JavaScript Requests
-------------------
When sending an AJAX request, add the ``X-CSRFToken`` header to it.
For example, in jQuery you can configure all requests to send the token.
.. sourcecode:: html+jinja
<script type="text/javascript">
var csrf_token = "{{ csrf_token() }}";
$.ajaxSetup({
beforeSend: function(xhr, settings) {
if (!/^(GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type) && !this.crossDomain) {
xhr.setRequestHeader("X-CSRFToken", csrf_token);
}
}
});
</script>
In Axios you can set the header for all requests with ``axios.defaults.headers.common``.
.. sourcecode:: html+jinja
<script type="text/javascript">
axios.defaults.headers.common["X-CSRFToken"] = "{{ csrf_token() }}";
</script>
Customize the error response
----------------------------
When CSRF validation fails, it will raise a :class:`CSRFError`.
By default this returns a response with the failure reason and a 400 code.
You can customize the error response using Flask's
:meth:`~flask.Flask.errorhandler`. ::
from flask_wtf.csrf import CSRFError
@app.errorhandler(CSRFError)
def handle_csrf_error(e):
return render_template('csrf_error.html', reason=e.description), 400
Exclude views from protection
-----------------------------
We strongly suggest that you protect all your views with CSRF. But if
needed, you can exclude some views using a decorator. ::
@app.route('/foo', methods=('GET', 'POST'))
@csrf.exempt
def my_handler():
# ...
return 'ok'
You can exclude all the views of a blueprint. ::
csrf.exempt(account_blueprint)
You can disable CSRF protection in all views by default, by setting
``WTF_CSRF_CHECK_DEFAULT`` to ``False``, and selectively call
:meth:`~flask_wtf.csrf.CSRFProtect.protect` only when you need. This also enables you to do some
pre-processing on the requests before checking for the CSRF token. ::
@app.before_request
def check_csrf():
if not is_oauth(request):
csrf.protect()
|
