<h1>Welcome to flask-csrf’s documentation!<a class="headerlink" href="#welcome-to-flask-csrf-s-documentation" title="Permalink to this headline">¶</a></h1>
<p>The internet is a dangerous place. One common type of attack your site’s users
can fall victim to is <a class="reference external" href="">Cross-Site Request Forgery</a> attacks.</p>
<p>flask-csrf is a small extension to Flask that makes adding CSRF protection to
your <a class="reference external" href="">Flask</a> application quick and easy. It’s based on <a class="reference external" href="">this snippet</a> from
the Flask snippet site.</p>
<div class="section" id="installation">
<h2>Installation<a class="headerlink" href="#installation" title="Permalink to this headline">¶</a></h2>
<p>Install flask-csrf with <a class="reference external" href="">pip</a>:</p>
<div class="highlight-python"><pre>pip install -e 'hg+'</pre>
<p>Prefer <a class="reference external" href="">git</a> to <a class="reference external" href="">Mercurial</a>?</p>
<div class="highlight-python"><pre>pip install -e 'git+'</pre>
<div class="section" id="usage">
<h2>Usage<a class="headerlink" href="#usage" title="Permalink to this headline">¶</a></h2>
<p>To activate CSRF protection for your Flask application you need to do two
things. First, call the <tt class="docutils literal"><span class="pre">csrf</span></tt> function with your Flask app as a parameter:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="kn">from</span> <span class="nn">flaskext.csrf</span> <span class="kn">import</span> <span class="n">csrf</span>
<span class="n">csrf</span><span class="p">(</span><span class="n">app</span><span class="p">)</span>
<p>Once you do that you’ll need to add a CSRF token to every form on your site
that makes an HTTP <tt class="docutils literal"><span class="pre">POST</span></tt> request:</p>
<div class="highlight-python"><pre><input type="hidden" name="_csrf_token" value="{{ csrf_token() }}"></pre>
<p>If you have certain views that need to be excluded from this protection
(perhaps they receive <tt class="docutils literal"><span class="pre">POST</span></tt> requests from a third-party site) you can use
the <tt class="docutils literal"><span class="pre">csrf_exempt</span></tt> decorator to disable protection:</p>
<div class="highlight-python"><pre>from flaskext.csrf import csrf, csrf_exempt
def my_receiving_view():
# ...
<p>If for some reason you want to know <em>when</em> a CSRF attack happens, you can pass
a function to the <tt class="docutils literal"><span class="pre">csrf</span></tt> call and it will be called whenever an attack is
<div class="highlight-python"><div class="highlight"><pre><span class="kn">from</span> <span class="nn">flaskext.csrf</span> <span class="kn">import</span> <span class="n">csrf</span>
<span class="n">attacks</span> <span class="o">=</span> <span class="mi">0</span>
<span class="k">def</span> <span class="nf">count_csrf_attacks</span><span class="p">(</span><span class="n">endpoint</span><span class="p">,</span> <span class="n">arguments</span><span class="p">):</span>
<span class="n">attacks</span> <span class="o">+=</span> <span class="mi">1</span>
<span class="n">csrf</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">on_csrf</span><span class="o">=</span><span class="n">count_csrf_attacks</span><span class="p">)</span>
<p>This function must take two parameters:</p>
<ul class="simple">
<li><strong>endpoint</strong> - A string representing the view that would
normally handle this request.</li>
<li><strong>arguments</strong> - The arguments that would normally be passed (if
any) to that view.</li>
<p>You can use this function to do anything you like; counting attacks is just
a simple example.</p>
<div class="section" id="contribute">
<h2>Contribute<a class="headerlink" href="#contribute" title="Permalink to this headline">¶</a></h2>
<p>flask-csrf is open source and MIT licensed. If you want to contribute feel
free to fork the <a class="reference external" href="">Mercurial repository</a> or <a class="reference external" href="">git repository</a> and send a pull
