Disable CSRF check for requests without cookies

Question

Disable CSRF check for requests without cookies

Closed this issue 4 years ago · 3 comments

My Flask app has mix of regular routes that supposed to be used by end users and routes for REST API exposure.
I want to protect regular routes with CSRF (will be used by users with cookies), but don't need it for APIs (it will have header authentication)

Is there any way to disable CSRF check in Flask-WTF for requests that have no cookies set at all?

Answer 1 · 2021-06-21T23:20:12.000Z

Use the Meta object or options to control things such as CSRF: https://wtforms.readthedocs.io/en/2.3.x/meta/

For example, if your API is under the api blueprint:

from flask_wtf import FlaskForm

class APIForm(FlaskForm):
    class Meta:
        @property
        def csrf(self):
            return request.blueprint == "api"

Or another check, depending on your requirements.

Answer 2 · 2021-06-21T23:28:35.000Z

But then api blueprint will have no CSRF protection at all and those routes would be possible to attack using CSRF if user will have cookies.

Answer 3 · 2021-06-21T23:40:02.000Z

OK, then make the check more complex. Only you know the requirements you need for your specific API, the concept remains the same no matter what those requirements are. I think you're misunderstanding CSRF.