Flask SeaSurf

1. Basic Usage

from flask import Flask, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

@csrf.exempt
@app.route('/', methods=["GET", "POST"])
def index():
    if request.method == "POST":
        csrf.validate()
    return 'OK'

2. Custom CSRF Token Name

from flask import Flask, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app, csrf_name='my_csrf_token')

@csrf.exempt
@app.route('/', methods=["GET", "POST"])
def index():
    if request.method == "POST":
        csrf.validate()
    return 'OK'

3. Custom CSRF Token Cookie Name

from flask import Flask, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app, csrf_cookie_name='my_csrf_cookie')

@csrf.exempt
@app.route('/', methods=["GET", "POST"])
def index():
    if request.method == "POST":
        csrf.validate()
    return 'OK'

4. Custom CSRF Token Expiration Time

from flask import Flask, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app, csrf_token_expires=300)

@csrf.exempt
@app.route('/', methods=["GET", "POST"])
def index():
    if request.method == "POST":
        csrf.validate()
    return 'OK'

5. Custom CSRF Token Size

from flask import Flask, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app, csrf_token_size=32)

@csrf.exempt
@app.route('/', methods=["GET", "POST"])
def index():
    if request.method == "POST":
        csrf.validate()
    return 'OK'

6. Custom CSRF Salt

from flask import Flask, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app, csrf_secret_key='my_secret_key')

@csrf.exempt
@app.route('/', methods=["GET", "POST"])
def index():
    if request.method == "POST":
        csrf.validate()
    return 'OK'

7. Custom CSRF Token Generator

from flask import Flask, request
from flask_seasurf import SeaSurf

def custom_generator():
    return 'my_custom_token'

app = Flask(__name__)
csrf = SeaSurf(app, csrf_token_generator=custom_generator)

@csrf.exempt
@app.route('/', methods=["GET", "POST"])
def index():
    if request.method == "POST":
        csrf.validate()
    return 'OK'

8. Custom CSRF Token Validator

from flask import Flask, request
from flask_seasurf import SeaSurf

def custom_validator(csrf_token, scheme):
    return True

app = Flask(__name__)
csrf = SeaSurf(app, csrf_token_validator=custom_validator)

@csrf.exempt
@app.route('/', methods=["GET", "POST"])
def index():
    if request.method == "POST":
        csrf.validate()
    return 'OK'

9. Custom CSRF Token Header Name

from flask import Flask, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app, csrf_token_header='X-My-CSRF-Token')

@csrf.exempt
@app.route('/', methods=["GET", "POST"])
def index():
    if request.method == "POST":
        csrf.validate()
    return 'OK'

10. Disabled CSRF Protection for Specific Routes

from flask import Flask, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

@app.route('/login', methods=["GET", "POST"])
def login():
    return 'OK' # No CSRF protection for this route

11. Disabled CSRF Protection for Specific HTTP Methods

from flask import Flask, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

@csrf.exempt(methods=['OPTIONS'])
@app.route('/', methods=["GET", "POST"])
def index():
    return 'OK' # No CSRF protection for OPTIONS method

12. Disabled CSRF Protection for Specific Endpoints

from flask import Flask, request, jsonify
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

@csrf.exempt(endpoint='my_endpoint')
@app.route('/my-endpoint', methods=["GET", "POST"])
def my_endpoint():
    return jsonify({}) # No CSRF protection for this endpoint

13. Disabled CSRF Protection for Entire Blueprint

from flask import Blueprint, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

bp = Blueprint('my_blueprint', __name__)

@csrf.exempt(endpoint='my_blueprint.my_endpoint')
@bp.route('/my-endpoint', methods=["GET", "POST"])
def my_endpoint():
    return 'OK' # No CSRF protection for this blueprint

app.register_blueprint(bp)

14. Extract CSRF Token

from flask import Flask
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

@app.route('/')
def index():
    csrf.generate_unique_token()
    csrf_token = csrf.get_token()
    return csrf_token

15. Generate Unique CSRF Token

from flask import Flask
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

@app.route('/')
def index():
    csrf.generate_unique_token()
    csrf_token = csrf.token
    return csrf_token

16. Check CSRF Token Validity

from flask import Flask, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

@app.route('/', methods=["POST"])
def index():
    if csrf.validate_token(request.form.get('csrf_token')):
        return 'OK'
    else:
        return 'Invalid CSRF token'

17. Disable CSRF Protection

from flask import Flask
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)
csrf.disable()

@app.route('/', methods=["POST"])
def index():
    return 'OK' # CSRF protection is disabled

18. Dynamically Generate CSRF Token

from flask import Flask, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

@app.route('/')
def index():
    if request.method == 'GET':
        csrf.generate_unique_token()
        csrf_token = csrf.get_token()
    return csrf_token

19. Use CSRF Token in Header

from flask import Flask, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

@csrf.exempt
@app.route('/', methods=["POST"])
def index():
    csrf_token = request.headers.get('X-CSRF-Token')
    csrf.validate_token(csrf_token)
    return 'OK'

20. Use CSRF Token in Form

from flask import Flask, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

@csrf.exempt
@app.route('/', methods=["POST"])
def index():
    csrf_token = request.form.get('csrf_token')
    csrf.validate_token(csrf_token)
    return 'OK'

21. Use CSRF Token in Cookie

from flask import Flask, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

@csrf.exempt
@app.route('/', methods=["POST"])
def index():
    csrf_token = request.cookies.get('csrf_token')
    csrf.validate_token(csrf_token)
    return 'OK'

22. Disable CSRF Protection for Specific Domains

from flask import Flask
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

@app.route('/', host='example.com')
def index():
    csrf.disable()
    return 'OK' # CSRF protection is disabled for example.com

23. Disable CSRF Protection for Specific Methods

from flask import Flask
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

@csrf.exempt(methods=['GET'])
@app.route('/', methods=["POST", "GET"])
def index():
    return 'OK' # CSRF protection is disabled for GET requests

24. Ignore CSRF Protection for Static Files

from flask import Flask
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

app.config['SEND_FILE_MAX_AGE_DEFAULT'] = 0
csrf.exempt_static_files = True

@app.route('/')
def index():
    return 'OK' # CSRF protection is disabled for static files

25. Use Custom CSRF Protection Scheme

from flask import Flask
from flask_seasurf import SeaSurf

class CustomScheme(SeaSurf):
    def generate_token(self, **kwargs):
        pass

    def validate_token(self, token, **kwargs):
        pass

app = Flask(__name__)
csrf = CustomScheme(app)

26. Use Flask-Login with CSRF Protection

from flask import Flask, request, login_required
from flask_login import LoginManager, UserMixin, login_user
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)
login_manager = LoginManager()
login_manager.init_app(app)

class User(UserMixin):
    pass

@login_manager.user_loader
def load_user(user_id):
    return User()

@app.route('/login', methods=["POST"])
def login():
    if csrf.validate_token(request.form.get('csrf_token')):
        user = User()
        login_user(user)
        return 'OK'
    else:
        return 'Invalid CSRF token'

@app.route('/protected')
@login_required
def protected():
    return 'OK' # CSRF protection is enforced for logged-in users

27. Use with Flask-RESTful

from flask import Flask
from flask_restful import Resource, Api
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)
api = Api(app)

class MyResource(Resource):
    def post(self):
        if csrf.validate_token(request.get_json()['csrf_token']):
            return 'OK'
        else:
            return 'Invalid CSRF token'

api.add_resource(MyResource, '/my-resource')

28. Use with Flask-SocketIO

from flask import Flask, request
from flask_socketio import SocketIO, emit
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)
socketio = SocketIO(app)

@app.route('/', methods=["GET", "POST"])
def index():
    if request.method == 'POST':
        if csrf.validate_token(request.form.get('csrf_token')):
            emit('my_event', {'data': 'OK'})
        else:
            emit('my_event', {'data': 'Invalid CSRF token'})

29. Use with Flask-WTF

from flask import Flask, render_template, request
from flask_wtf import FlaskForm
from flask_seasurf import SeaSurf
from wtforms import StringField

app = Flask(__name__)
csrf = SeaSurf(app)

class MyForm(FlaskForm):
    username = StringField('Username')
    password = StringField('Password')

@app.route('/', methods=["GET", "POST"])
def index():
    form = MyForm()
    if form.validate_on_submit() and csrf.validate_token(form.csrf_token.data):
        username = form.username.data
        password = form.password.data
        # Do something with the form data
    return render_template('index.html', form=form)

30. Custom Error Handling

from flask import Flask
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

@app.errorhandler(400)
def handle_bad_request(error):
    return 'Bad request: ' + error.description, 400

@app.route('/', methods=["POST"])
def index():
    csrf.validate()
    return 'OK'

31. Use with Flask-Caching

from flask import Flask
from flask_cache import Cache
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)
cache = Cache(app)

@app.route('/', methods=["GET", "POST"])
@cache.cached(timeout=300)
def index():
    if request.method == 'POST':
        if csrf.validate_token(request.form.get('csrf_token')):
            return 'OK'
        else:
            return 'Invalid CSRF token'
    return 'OK'

32. Use with Flask-Babel

from flask import Flask, gettext
from flask_babel import Babel
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)
babel = Babel(app)

@babel.localeselector
def get_locale():
    return request.accept_languages.best_match(app.config['LANGUAGES'])

@app.route('/')
def index():
    csrf.generate_unique_token()
    csrf_token = csrf.get_token()
    return gettext('OK') + ' ' + csrf_token

33. Customize CSRF Token Name and Header

from flask import Flask
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app, csrf_name='my_token', csrf_header='X-My-Token')

34. Disable CSRF Token for Specific Blueprint

from flask import Blueprint
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

bp = Blueprint('my_blueprint', __name__)
csrf.exempt(bp)

35. Generate CSRF Token for AJAX Requests

from flask import Flask, request
from flask_seasurf import SeaSurf

app = Flask(__name__)
csrf = SeaSurf(app)

@app.route('/')
def index():
    if request.method == 'GET':
        csrf.generate_unique_token()
        csrf_token = csrf.get_token()
    return csrf_token

36. Customized CSRF Token Generation

from flask import Flask, request
from flask_seasurf import SeaSurf

def custom_generate_token(app):
    return 'my_custom_token'

app = Flask(__name__)
csrf = SeaSurf(app, csrf_token_generator=custom_generate_token)

PreviousFlask RESTPlus NextFlask Script