Extremely simple, "Good Enough" csrf implemention for flask forms, no server side sessions required.
Project description
Install
pip3 install flask-simple-csrf
or if installing from source
python3 setup.py install
How to use
This package is intended to assign a unique CSRF string per each form submit per user session, without requiring any backend session tracking. First, you'll want to set a variable SECRET_CSRF_KEY in your app config to a random, complex string. Example: SECRET_CSRF_KEY = 'wMmeltW4mhwidorQRli6Oxx9VPXldz'
Second, you probably want to add somthing like this to the top of your code:
from flask_simple_csrf import CSRF
#app.config should have an attribute that looks something like this
#CSRF_CONFIG = {
# 'SECRET_CSRF_KEY': 'changeme-40-50-characters-long',
#}
CSRF = CSRF(config=config.CSRF_CONFIG)
app = CSRF.init_app(app)
@app.before_request
def before_request():
if 'CSRF_TOKEN' not in session or 'USER_CSRF' not in session:
session['USER_CSRF'] = random_string(64)
session['CSRF_TOKEN'] = CSRF.create(session['USER_CSRF'])
Each user session should have a unique CSRF string which changes on form submit.
In the HTML templates you want to protect, add: {{ csrf_html(session['USER_CSRF'])|safe }}
This will create something like this: <input type="hidden" value="9D..." name="simplecsrf">
I'd reccommend creating a wrapper to avoid code duplciation when checking for this value. Something like:
def require_csrf(f):
@wraps(f)
def decorated(*args, **kwargs):
if request.method == 'POST':
user_csrf = request.form.get('simplecsrf')
if CSRF.verify(user_csrf, session['CSRF_TOKEN']) is False:
flash('submitted csrf does not match combined server & user keys')
return logout()
clear_csrf_tokens()
flash('csrf user token and server token match', 'success')
return f(*args, **kwargs)
else:
return f(*args, **kwargs)
return decorated
Then use the @require_csrf decorator before each flask view you'd like to require the check.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file flask-simple-csrf-1.2.0.tar.gz.
File metadata
- Download URL: flask-simple-csrf-1.2.0.tar.gz
- Upload date:
- Size: 3.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.4.2 requests/2.21.0 setuptools/40.8.0 requests-toolbelt/0.8.0 tqdm/4.36.1 CPython/3.7.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 45c265c210e9073777454aae4136058a5c704c249c0712831c4c696e9bfd29b4 |
|
| MD5 | 4eecc33168a95f77ffdc948654abd8dd |
|
| BLAKE2b-256 | 54be4f011f40c12f657bbec76deb7c1136b566f1a3b4d892c8f84084b79d03f3 |
File details
Details for the file flask_simple_csrf-1.2.0-py3-none-any.whl.
File metadata
- Download URL: flask_simple_csrf-1.2.0-py3-none-any.whl
- Upload date:
- Size: 4.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.4.2 requests/2.21.0 setuptools/40.8.0 requests-toolbelt/0.8.0 tqdm/4.36.1 CPython/3.7.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 426719c80e2e5d9d03ccf8d94ddefdbf91094aaaf3fd87fc7d31f2c1d16206eb |
|
| MD5 | f336a85c0264edbcf15f267ee21de337 |
|
| BLAKE2b-256 | c1352f91c14f3bd0f065334f95f71a66cf48271adf2152220cbacd8f336c70de |
