Skip to main content

46. Cross-Site Request Forgery (CSRF Intro)

CSRF attacks trick users into performing unintended actions on authenticated sessions.

Insecure Example

# 46. HTML form without CSRF protection
<form action="/delete" method="POST">
  <input type="hidden" name="user" value="admin" />
  <button type="submit">Delete</button>
</form>

Secure Example

# 46. Flask with CSRF protection
from flask_wtf import FlaskForm, CSRFProtect
app = Flask(__name__)
app.secret_key = "secret-key"
csrf = CSRFProtect(app)

Lesson: Use CSRF tokens for all state-changing HTTP requests.