fix CSRF for WTF forms

author: Bryan Newbold <bnewbold@robocracy.org> 2019-04-02 16:16:25 -0700
committer: Bryan Newbold <bnewbold@robocracy.org> 2019-04-02 16:16:25 -0700
commit: ff9e0b2712b61b6f515e2dbd57f08952fe870386 (patch)
tree: b3d0cb3d94a49c0d42801cf15e51806da4ef4313 /python/fatcat_web/web_config.py
parent: 8e460a157c94f86fd9248203553194e2709490d9 (diff)
download: fatcat-ff9e0b2712b61b6f515e2dbd57f08952fe870386.tar.gz
fatcat-ff9e0b2712b61b6f515e2dbd57f08952fe870386.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py
index 8fe50049..8ece91f7 100644
--- a/python/fatcat_web/web_config.py
+++ b/python/fatcat_web/web_config.py
@@ -39,6 +39,11 @@ class Config(object):
     IA_XAUTH_CLIENT_ID = os.environ.get("IA_XAUTH_CLIENT_ID", default=None)
     IA_XAUTH_CLIENT_SECRET = os.environ.get("IA_XAUTH_CLIENT_SECRET", default=None)
 
+    # CSRF on by default, but only for WTF forms (not, eg, search, lookups, GET
+    # forms)
+    WTF_CSRF_CHECK_DEFAULT = True
+    WTF_CSRF_TIME_LIMIT = None
+
     # protect cookies (which include API tokens)
     if FATCAT_DOMAIN != "dev.fatcat.wiki":
         SESSION_COOKIE_HTTPONLY = True
author	Bryan Newbold <bnewbold@robocracy.org>	2019-04-02 16:16:25 -0700
committer	Bryan Newbold <bnewbold@robocracy.org>	2019-04-02 16:16:25 -0700
commit	ff9e0b2712b61b6f515e2dbd57f08952fe870386 (patch)
tree	b3d0cb3d94a49c0d42801cf15e51806da4ef4313 /python/fatcat_web/web_config.py
parent	8e460a157c94f86fd9248203553194e2709490d9 (diff)
download	fatcat-ff9e0b2712b61b6f515e2dbd57f08952fe870386.tar.gz fatcat-ff9e0b2712b61b6f515e2dbd57f08952fe870386.zip