From ff9e0b2712b61b6f515e2dbd57f08952fe870386 Mon Sep 17 00:00:00 2001
From: Bryan Newbold <bnewbold@robocracy.org>
Date: Tue, 2 Apr 2019 16:16:25 -0700
Subject: fix CSRF for WTF forms

---
 python/fatcat_web/web_config.py | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'python/fatcat_web/web_config.py')

diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py
index 8fe50049..8ece91f7 100644
--- a/python/fatcat_web/web_config.py
+++ b/python/fatcat_web/web_config.py
@@ -39,6 +39,11 @@ class Config(object):
     IA_XAUTH_CLIENT_ID = os.environ.get("IA_XAUTH_CLIENT_ID", default=None)
     IA_XAUTH_CLIENT_SECRET = os.environ.get("IA_XAUTH_CLIENT_SECRET", default=None)
 
+    # CSRF on by default, but only for WTF forms (not, eg, search, lookups, GET
+    # forms)
+    WTF_CSRF_CHECK_DEFAULT = True
+    WTF_CSRF_TIME_LIMIT = None
+
     # protect cookies (which include API tokens)
     if FATCAT_DOMAIN != "dev.fatcat.wiki":
         SESSION_COOKIE_HTTPONLY = True
-- 
cgit v1.2.3