tmdinosaurcenter/kiosk-guestbook
1
0
Fork 0
mirror of https://github.com/tmdinosaurcenter/kiosk-guestbook.git synced 2026-06-04 01:28:46 -06:00
Code Issues Packages Projects Releases Wiki Activity

feat: add CSRF protection to all POST forms

Browse Source 
Installs Flask-WTF and enables CSRFProtect globally. Adds csrf_token
hidden fields to all four POST forms (login, delete entry, add user,
delete user, and the public guestbook form). Exempts the API endpoint
which uses header-based key auth instead.
This commit is contained in:
Steve Dogiakos
2026-03-28 23:17:26 -06:00
parent 9ad7128619
commit ecdcc044b7
6 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
templates/admin.html
+1
View File
@@ -47,6 +47,7 @@
{% if current_user.role != 'viewer' %}
<form method="POST" action="{{ url_for('admin_delete', entry_id=g[0]) }}?page={{ page }}"
onsubmit="return confirm('Delete entry for {{ g[1] }} {{ g[2] }}?')">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<button type="submit" class="btn btn-danger btn-sm">Delete</button>
</form>
{% endif %}