tmdinosaurcenter/kiosk-guestbook
1
0
Fork 0
mirror of https://github.com/tmdinosaurcenter/kiosk-guestbook.git synced 2026-06-04 02:29:09 -06:00
Code Issues Packages Projects Releases Wiki Activity

feat: add CSRF protection to all POST forms

Browse Source 
Installs Flask-WTF and enables CSRFProtect globally. Adds csrf_token
hidden fields to all four POST forms (login, delete entry, add user,
delete user, and the public guestbook form). Exempts the API endpoint
which uses header-based key auth instead.
This commit is contained in:
Steve Dogiakos
2026-03-28 23:17:26 -06:00
parent 9ad7128619
commit ecdcc044b7
6 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
templates/admin_login.html
+1
View File
@@ -15,6 +15,7 @@
<div class="alert alert-danger py-2">{{ error }}</div>
{% endif %}
<form method="POST" action="{{ url_for('admin_login', next=request.args.get('next', '')) }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<div class="mb-3">
<label for="username" class="form-label">Username</label>
<input type="text" id="username" name="username" class="form-control"