Skip to main content

Extremely simple, "Good Enough" csrf implemention for flask forms, no server side sessions required.

Project description

Install

pip3 install flask-simple-csrf or if installing from source python3 setup.py install

How to use

This package is intended to assign a unique CSRF string per each form submit per user session, without requiring any backend session tracking. First, you'll want to set a variable SECRET_CSRF_KEY in your app config to a random, complex string. Example: SECRET_CSRF_KEY = 'wMmeltW4mhwidorQRli6Oxx9VPXldz'

Second, you probably want to add somthing like this to the top of your code:

from flask_simple_csrf import CSRF

#app.config should have an attribute that looks something like this
#CSRF_CONFIG = {
#    'SECRET_CSRF_KEY': 'changeme-40-50-characters-long',
#}

CSRF = CSRF(config=config.CSRF_CONFIG)
app = CSRF.init_app(app)

@app.before_request
def before_request():
        if 'CSRF_TOKEN' not in session or 'USER_CSRF' not in session:
            session['USER_CSRF'] = random_string(64)
            session['CSRF_TOKEN'] = CSRF.create(session['USER_CSRF'])

Each user session should have a unique CSRF string which changes on form submit.

In the HTML templates you want to protect, add: {{ csrf_html(session['USER_CSRF'])|safe }}

This will create something like this: <input type="hidden" value="9D..." name="simplecsrf">

I'd reccommend creating a wrapper to avoid code duplciation when checking for this value. Something like:

def require_csrf(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        if request.method == 'POST':
            user_csrf = request.form.get('simplecsrf')

            if CSRF.verify(user_csrf, session['CSRF_TOKEN']) is False:
                flash('submitted csrf does not match combined server & user keys')
                return logout()

            clear_csrf_tokens()
            flash('csrf user token and server token match', 'success')

            return f(*args, **kwargs)
        else:
            return f(*args, **kwargs)
    return decorated

Then use the @require_csrf decorator before each flask view you'd like to require the check.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for flask-simple-csrf, version 1.2.0
Filename, size File type Python version Upload date Hashes
Filename, size flask_simple_csrf-1.2.0-py3-none-any.whl (4.8 kB) File type Wheel Python version py3 Upload date Hashes View hashes
Filename, size flask-simple-csrf-1.2.0.tar.gz (3.4 kB) File type Source Python version None Upload date Hashes View hashes

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page