Quart CSRF Protection
Project description
Quart-Csrf
Quart-Csrf is an extension for Quart to provide CSRF protection. The code is taked from Flask-WTF.
Usage
To enable CSRF protection globally for a Quart app, you have to create an CSRFProtect and initialise it with the application,
from quart_csrf import CSRFProtect
app = Quart(__name__)
CSRFProtect(app)
or via the factory pattern,
csrf = CSRFProtect()
def create_app():
app = Quart(__name__)
csrf.init_app(app)
return app
Note: CSRF protection requires a secret key to securely sign the token. By default this will use the QUART app's SECRET_KEY. If you'd like to use a separate token you can set QUART_CSRF_SECRET_KEY.
HTML Forms: render a hidden input with the token in the form.
<form method="post">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
</form>
JavaScript Requests: When sending an AJAX request, add the X-CSRFToken header to it. For example, in jQuery you can configure all requests to send the token.
<meta name="csrf-token" content="{{ csrf_token() }}">
<script>
var csrf_token = $('meta[name=csrf-token]').attr('content');
// var csrf_token = "{{ csrf_token() }}";
$.ajaxSetup({
beforeSend: function(xhr, settings) {
if (!/^(GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type) && !this.crossDomain) {
xhr.setRequestHeader("X-CSRFToken", csrf_token);
}
}
});
</script>
Contributing
Quart-Csrf is developed on GitLab. You are very welcome to open issues or propose merge requests.
Help
This README is the best place to start, after that try opening an issue.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.