Implement CSRF protection with Flask-WTF #21#59
Conversation
|
@VishalRaut2106 is attempting to deploy a commit to the 007's projects Team on Vercel. A member of the Team first needs to authorize it. |
![entelligence-ai-pr-reviews[bot]](https://avatars.githubusercontent.com/in/932812?s=60&v=4){kind=small}
| # Enable CSRF protection | ||
| csrf = CSRFProtect(app) | ||
| app.secret_key = os.environ.get('SECRET_KEY', 'dev-secret-key-change-this-in-prod') | ||
|
|
There was a problem hiding this comment.
Correctness: The hardcoded fallback 'dev-secret-key-change-this-in-prod' for app.secret_key makes session and CSRF tokens predictable if the SECRET_KEY environment variable is not set. This is a security vulnerability that allows for session hijacking and CSRF bypass. Use a cryptographically secure random fallback or raise an error if the environment variable is missing.
🤖 AI Agent Prompt for Cursor/Windsurf
📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue
In `app.py` at the line setting `app.secret_key`, remove the predictable hardcoded default. Use `os.environ.get('SECRET_KEY') or secrets.token_hex(16)` so dev remains functional while avoiding a fixed secret in production.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
@Eswaramuthu i have resolved the conflicts |
|
@Eswaramuthu bro, my all pr got merged,d but still I haven't got any point |
|
@Eswaramuthu bro why arte you not giving points to me its more than a week and still i am on 0 points |
2 participants
mplements CSRF protection to prevent Cross-Site Request Forgery attacks on form submissions.
Changes:
Installed Flask-WTF.
Initialized CSRFProtect in app.py.
Added {{ csrf_token() }} to all POST forms in templates.
Verification:
Verified that forms (Login, Registration, Achievement Submission) include the token.
Verified that requests without the token are rejected (400 Bad Request).
Closes #21