Insecure configuration can lead to a cross-site request forgery (CRSF) vulnerability. This can enable an attacker to trick end users into performing unwanted actions while authenticated.
1def csrf_protection_noncompliant():
2 from flask import Flask
3 app = Flask(__name__)
4 # Noncompliant: disables CSRF protection.
5 app.config['WTF_CSRF_ENABLED'] = False
1def csrf_protection_compliant():
2 from flask_wtf.csrf import CsrfProtect
3 from flask import Flask
4 csrf = CsrfProtect()
5 app = Flask(__name__)
6 # Compliant: enables CSRF protection.
7 csrf.init_app(app)