CSRF protection stops bad websites from tricking you into doing things you don't want. It keeps your web app safe from sneaky attacks.
from flask import Flask from flask_wtf import CSRFProtect app = Flask(__name__) app.config['SECRET_KEY'] = 'your-secret-key' csrf = CSRFProtect(app)
You need to set a secret key for security.
CSRFProtect wraps your app to add protection automatically.
from flask import Flask from flask_wtf import CSRFProtect app = Flask(__name__) app.config['SECRET_KEY'] = 'secret123' csrf = CSRFProtect(app)
@app.route('/submit', methods=['POST']) def submit(): # Your form handling code here return 'Form submitted!'
form.hidden_tag() to add the CSRF token.<form method="POST" action="/submit"> {{ form.hidden_tag() }} <input type="text" name="name"> <input type="submit" value="Send"> </form>
This Flask app shows a simple form with CSRF protection. The form includes a hidden CSRF token automatically. When you submit the form, it greets you by name.
from flask import Flask, render_template_string, request from flask_wtf import FlaskForm, CSRFProtect from wtforms import StringField, SubmitField app = Flask(__name__) app.config['SECRET_KEY'] = 'secret123' csrf = CSRFProtect(app) class NameForm(FlaskForm): name = StringField('Name') submit = SubmitField('Submit') @app.route('/', methods=['GET', 'POST']) def index(): form = NameForm() if form.validate_on_submit(): return f'Hello, {form.name.data}!' return render_template_string(''' <form method="POST"> {{ form.hidden_tag() }} {{ form.name.label }} {{ form.name() }}<br> {{ form.submit() }} </form> ''', form=form) if __name__ == '__main__': app.run(debug=False)
Always set a strong secret key to keep tokens secure.
CSRF tokens are unique per user session and help verify requests are genuine.
Flask-WTF makes adding CSRF protection easy with forms.
CSRF protection stops attackers from tricking users into unwanted actions.
Use Flask-WTF's CSRFProtect and include tokens in your forms.
Always protect POST routes that change data.