Flask Snippets

Snippets are unofficial and unmaintained.

This is an archived view of user-submitted snippets. Despite being hosted on the Flask site, they are not official. No Flask maintainer has curated or checked the snippets for security, correctness, or design.

CSRF Protection

Posted by Dan Jacob on 2010-05-03 @ 11:29 and filed in Security

A common technique against CSRF attacks is to add a random string to the session, and check that string against a hidden field in the POST.

@app.before_request
def csrf_protect():
    if request.method == "POST":
        token = session.pop('_csrf_token', None)
        if not token or token != request.form.get('_csrf_token'):
            abort(403)

def generate_csrf_token():
    if '_csrf_token' not in session:
        session['_csrf_token'] = some_random_string()
    return session['_csrf_token']

app.jinja_env.globals['csrf_token'] = generate_csrf_token        

And then in your template:

<form method=post action="">
    <input name=_csrf_token type=hidden value="{{ csrf_token() }}">

This snippet by Dan Jacob can be used freely for anything you like. Consider it public domain.

Comments