You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- New configuration option SECURITY_LOGOUT_CSRF that enables CSRF checking
- On CSRF failure, return a new logout_user_template which is basically a confirmation form (with CSRF token)
- Improve CSRF documentation
- Change logout menu to be a POST (and therefore a button)
close#1237
Copy file name to clipboardExpand all lines: docs/patterns.rst
+32-18Lines changed: 32 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -273,37 +273,51 @@ CSRF
273
273
By default, Flask-Security, via Flask-WTForms protects all form based POSTS
274
274
from CSRF attacks using well vetted per-session hidden-form-field csrf-tokens.
275
275
276
-
Any web application that relies on session cookies for authentication must have CSRF protection.
276
+
Any web application that uses a session cookie for authentication must have CSRF protection.
277
277
For more details please read this `OWASP CSRF cheatsheet <https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md>`_.
278
-
A couple important take-aways - first - it isn't about forms versus JSON - it is about
279
-
how the API is authenticated (session cookies versus authentication token). Second there is the
280
-
concern about 'login CSRF' - is protection needed prior to authentication (yes if
281
-
you have a really secure/popular site).
278
+
As mentioned in the OWASP cheatsheet - pure JSON requests should be immune from CSRF exploits ASSUMING that the application
279
+
has a properly set CORS policy. Flask-Security, via Werkzeug, is careful to ONLY accept JSON with an ``"application/+json"`` header.
280
+
However, currently, there is no way to configure Flask-Security to accept ONLY ``"application/json"`` - meaning that it is important
281
+
to properly pass CSRF tokens for ALL requests.
282
282
283
283
Flask-Security strives to support various options for both its endpoints (e.g. ``/login``)
284
284
and the application endpoints (protected with Flask-Security decorators such as :func:`.auth_required`).
285
285
286
286
If your application just uses forms that are derived from ``Flask-WTF::Flaskform`` - you are done.
287
-
Note that all of Flask-Security's endpoints are form based (regardless of how the request was made).
288
-
289
-
.. note::
290
-
The logout endpoint has never been form-based and has never had CSRF protection. With the addition
291
-
of the refresh token feature, logout now accepts form/json input - but still does not support
292
-
CSRF protection.
287
+
All of Flask-Security's endpoints are form based (regardless of how the request was made).
288
+
289
+
Login CSRF
290
+
++++++++++++
291
+
Read more about this at `OWASP <https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md#possible-csrf-vulnerabilities-in-login-forms>`_.
292
+
293
+
Logout CSRF
294
+
++++++++++++
295
+
Prior to release 5.9 the logout endpoint never accepted any input nor enabled CSRF protection so
296
+
there was never any possible errors. Furthermore, both ``"GET"`` and ``"POST"`` were accepted.
297
+
Best practice is to accept only ``"POST"`` requests to avoid trivial 'auto-logout' attacks.
298
+
Requiring CSRF for the logout endpoint is best practice - however there are many
299
+
sources that disagree with this (and in fact, security advisories are usually NOT issued for applications that don't
300
+
support that). The usability issue is that users may or may not be looking for an error when they click the logout button
301
+
and NOT logging them out is worse. Flask-Security supports requiring CSRF for logout with the
0 commit comments