Cross-site request forgery High

Insecure configuration can lead to a cross-site request forgery (CRSF) vulnerability. This can enable an attacker to trick end users into performing unwanted actions while authenticated.

Detector ID

Noncompliant example

1def csrf_protection_noncompliant():
2    from flask import Flask
3    app = Flask(__name__)
4    # Noncompliant: disables CSRF protection.
5    app.config['WTF_CSRF_ENABLED'] = False

Compliant example

1def csrf_protection_compliant():
2    from flask_wtf.csrf import CsrfProtect
3    from flask import Flask
4    csrf = CsrfProtect()
5    app = Flask(__name__)
6    # Compliant: enables CSRF protection.
7    csrf.init_app(app)