flask-csrf/index.html @ 0f6bab39c0f4 default tip
adopt: Update site.
| author | Steve Losh <steve@stevelosh.com> |
|---|---|
| date | Thu, 13 Jun 2024 13:05:28 -0400 |
| parents | 9ae2223d1010 |
| children | (none) |
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Welcome to flask-csrf’s documentation! — flask-csrf 0.9.1 documentation</title> <link rel="stylesheet" href="_static/flasky.css" type="text/css" /> <link rel="stylesheet" href="_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '', VERSION: '0.9.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="_static/jquery.js"></script> <script type="text/javascript" src="_static/underscore.js"></script> <script type="text/javascript" src="_static/doctools.js"></script> <link rel="top" title="flask-csrf 0.9.1 documentation" href="#" /> </head> <body> <div class=indexwrapper> <div class="document"> <div class="documentwrapper"> <div class="bodywrapper"> <div class="body"> <div class="section" id="welcome-to-flask-csrf-s-documentation"> <h1>Welcome to flask-csrf’s documentation!<a class="headerlink" href="#welcome-to-flask-csrf-s-documentation" title="Permalink to this headline">¶</a></h1> <p>The internet is a dangerous place. One common type of attack your site’s users can fall victim to is <a class="reference external" href="http://www.squarefree.com/securitytips/web-developers.html#CSRF">Cross-Site Request Forgery</a> attacks.</p> <p>flask-csrf is a small extension to Flask that makes adding CSRF protection to your <a class="reference external" href="http://flask.pocoo.org/">Flask</a> application quick and easy. It’s based on <a class="reference external" href="http://flask.pocoo.org/snippets/3/">this snippet</a> from the Flask snippet site.</p> <div class="section" id="installation"> <h2>Installation<a class="headerlink" href="#installation" title="Permalink to this headline">¶</a></h2> <p>Install flask-csrf with <a class="reference external" href="http://pip.openplans.org/">pip</a>:</p> <div class="highlight-python"><pre>pip install -e 'hg+http://bitbucket.org/sjl/flask-csrf@v0.9.1#egg=flask-csrf'</pre> </div> <p>Prefer <a class="reference external" href="http://git-scm.com/">git</a> to <a class="reference external" href="http://hg-scm.org/">Mercurial</a>?</p> <div class="highlight-python"><pre>pip install -e 'git+http://github.com/sjl/flask-csrf.git@v0.9.1#egg=flask-csrf'</pre> </div> </div> <div class="section" id="usage"> <h2>Usage<a class="headerlink" href="#usage" title="Permalink to this headline">¶</a></h2> <p>To activate CSRF protection for your Flask application you need to do two things. First, call the <tt class="docutils literal"><span class="pre">csrf</span></tt> function with your Flask app as a parameter:</p> <div class="highlight-python"><div class="highlight"><pre><span class="kn">from</span> <span class="nn">flaskext.csrf</span> <span class="kn">import</span> <span class="n">csrf</span> <span class="n">csrf</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> </pre></div> </div> <p>Once you do that you’ll need to add a CSRF token to every form on your site that makes an HTTP <tt class="docutils literal"><span class="pre">POST</span></tt> request:</p> <div class="highlight-python"><pre><input type="hidden" name="_csrf_token" value="{{ csrf_token() }}"></pre> </div> <p>If you have certain views that need to be excluded from this protection (perhaps they receive <tt class="docutils literal"><span class="pre">POST</span></tt> requests from a third-party site) you can use the <tt class="docutils literal"><span class="pre">csrf_exempt</span></tt> decorator to disable protection:</p> <div class="highlight-python"><pre>from flaskext.csrf import csrf, csrf_exempt @csrf_exempt @route('/foo/') def my_receiving_view(): # ... csrf(app)</pre> </div> <p>If for some reason you want to know <em>when</em> a CSRF attack happens, you can pass a function to the <tt class="docutils literal"><span class="pre">csrf</span></tt> call and it will be called whenever an attack is detected:</p> <div class="highlight-python"><div class="highlight"><pre><span class="kn">from</span> <span class="nn">flaskext.csrf</span> <span class="kn">import</span> <span class="n">csrf</span> <span class="n">attacks</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">def</span> <span class="nf">count_csrf_attacks</span><span class="p">(</span><span class="n">endpoint</span><span class="p">,</span> <span class="n">arguments</span><span class="p">):</span> <span class="n">attacks</span> <span class="o">+=</span> <span class="mi">1</span> <span class="n">csrf</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">on_csrf</span><span class="o">=</span><span class="n">count_csrf_attacks</span><span class="p">)</span> </pre></div> </div> <p>This function must take two parameters:</p> <ul class="simple"> <li><strong>endpoint</strong> - A string representing the view that would normally handle this request.</li> <li><strong>arguments</strong> - The arguments that would normally be passed (if any) to that view.</li> </ul> <p>You can use this function to do anything you like; counting attacks is just a simple example.</p> </div> <div class="section" id="contribute"> <h2>Contribute<a class="headerlink" href="#contribute" title="Permalink to this headline">¶</a></h2> <p>flask-csrf is open source and MIT licensed. If you want to contribute feel free to fork the <a class="reference external" href="http://bitbucket.org/sjl/flask-csrf/">Mercurial repository</a> or <a class="reference external" href="http://github.com/sjl/flask-csrf/">git repository</a> and send a pull request.</p> </div> </div> </div> </div> </div> <div class="clearer"></div> </div> <div class="footer">Created by <a href="http://stevelosh.com/">Steve Losh</a></p> </div> </body> </html>