CSRF Protection In Flask

CSRF Protection in Flask


Cross-site request forgery (CSRF) is a web security liability. That permits an attacker to convince users to do actions that they do not offer to do. It lets an assailant to partially avoid the same origin policy that is planned to prevent diverse websites from interfering with each other.

The effect of a rewarding CSRF attack is narrow to the abilities open. That is by the weak application and rights of the user. CSRF attacks are used by a foe to create a target system make a function through the victim’s browser. That is deprived of the victim’s information, as a minimum till the illegal transaction has been dedicated.

In this article, we will find how to stop the attacks of Cross-Site Request Forgery with the help of Flask.


  • Flask-WTF defends all forms against Cross-Site Request Forgery (CSRF) attacks by default.
  • A CSRF attack happens when a hateful website sends requests to a changed website on which the victim is logged in.
  • Flask-WTF essentials the application to configure an encryption key to appliance CSRF protection.
  • Flask-WTF usages this key to make encrypted tokens.
  • That are used to prove the authenticity of requests with form data.

Following illustration displays how to configure an encryption key.

Example: hello.py: Flask-WTF configuration

app = Flask(__name__)
app.config['SECRET_KEY'] = 'hard to guess string'
  • The app.config dictionary is a general-purpose home to store configuration variables used by the framework.
  • Similarly, used by the extensions, and the application itself.
  • Configuration values may be added to the app.config object with the help of standard dictionary syntax.
  • The configuration object too has methods to import configuration values from files or the environment.
  • The SECRET_KEY configuration variable is used as a common-purpose encryption key by Flask.
  • That is also used as numerous third-party extensions.
  • The power of the encryption be contingent on the value of this variable being secret as its name suggests.
  • Best choice a different secret key in each application that we build.
  • Verify that this string is not known by anyone.

Form Classes

  • Every web form is characterized by a class that receives from class Form when using Flask-WTF.
  • The class describes the list of fields in the form to each signified by an object.
  • Each field object may have one or more validators involved.
  • Validators are functions that check whether the input bow to by the user is valid.

Below instance shows a simple web form that has a text field and a submit button.

Example; hello.py: Form class definition

from flask.ext.wtf import Form
from wtforms import StringField, SubmitField
from wtforms.validators import Required
class NameForm(Form):
name = StringField('What is your name?', validators=[Required()])
submit = SubmitField('Submit')
  • The arenas in the form are well-defined as class variables.
  • For each class variable is assigned an object related with the field type.
  • The NameForm form has a text field called name and a submit button called submit in the earlier instance.
  • The StringField class embodies an <input> element with a type=”text” attribute.
  • The SubmitField class signifies an <input> element with a type=”submit” attribute.
  • In the beginning, argument to the field constructors is the label.
  • That would be used when interpreting the form to HTML.
  • The optional validator’s argument comprised in the StringField constructor defines a list of checkers.
  • That would be practical to the data submitted by the user before it is accepted.
  • The Required() validator safeguards that the field is not submitted empty.

HTML Version of Forms

  • Form fields are callable that, when invoked, from a template render themselves to HTML.
  • Supposing that the view function passes a NameForm instance to the template
  • As an argument named form, the template may produce a simple HTML form as follows:
<form method="POST">
{{ form.name.label }} {{ form.name() }}
{{ form.submit() }}
  • The result is very simple, obviously.
  • Any arguments sent into the calls that render the fields are converted into HTML attributes for the field to improve the look of the form.
  • Therefore, for instance, we can give the field id or class attributes and then define CSS styles.
<form method="POST">
{{ form.name.label }} {{ form.name(id='my-text-field') }}
{{ form.submit() }}
  • The strength necessary to render a form in this way is important but even with HTML attributes.
  • Therefore it is finest to leverage Bootstrap’s own set of form styles when likely.
  • Flask-Bootstrap offers a very high-level helper function.
  • That reduces an entire Flask- WTF form using Bootstrap’s predefined form styles, all with a single call.
  • The earlier form may be rendered as follows by using Flask-Bootstrap:
{% import "bootstrap/wtf.html" as wtf %}
{{ wtf.quick_form(form) }}
  • The import instruction works in the same method as regular Python scripts do.
  • They permits template elements to be imported and used in several templates.
  • The imported bootstrap or wtf.html file describes helper functions.
  • That reduce Flask-WTF forms using Bootstrap.
Mansoor Ahmed is Chemical Engineer, web developer, a writer currently living in Pakistan. My interests range from technology to web development. I am also interested in programming, writing, and reading.
Posts created 422

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top