feat: add CSRF protection to all POST forms

Installs Flask-WTF and enables CSRFProtect globally. Adds csrf_token hidden fields to all four POST forms (login, delete entry, add user, delete user, and the public guestbook form). Exempts the API endpoint which uses header-based key auth instead.
2026-06-04 00:17:44 -06:00 · 2026-03-28 23:17:26 -06:00
parent 9ad7128619
commit ecdcc044b7
6 changed files with 9 additions and 0 deletions
@@ -70,6 +70,7 @@
        {% endif %}

        <form method="post" action="/" class="mb-4">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
            <div class="mb-3">
                <label for="first_name" class="form-label">First Name(s):</label>
                <input type="text" class="form-control" id="first_name" name="first_name" required />