Announcing Flask-SeaSurf (updated CSRF protection for your Flask)
- From:
- Max Countryman
- Date:
- 2011-12-10 @ 22:32
Hi all!
I'm happy to announce a new CSRF protection extension for Flask called
Flask-SeaSurf. Although there is an existing extension, Flask-CSRF, due to
a few shortcomings and the fact that the author hasn't updated it in quite
some time, I decided to draw on the work of the Django project and create
a modern option.
Flask-SeaSurf has several advantages over Flask-CSRF:
• Constant time comparison of tokens, so timing attacks aren't effective
• Tokens are hashed using a salted SHA1 based on secret_key and randrange
• Vary-cookie based storage of tokens with user defined timeouts
• Class-based extension, rather than a module with loose functions
• Should play nice with testing, although your milage may vary
It should be nearly completely compatible with projects already using
Flask-CSRF. All you have to do is import the module and then instantiate
the class like this:
csrf = SeaSurf(app)
However that said, CSRF view exemption is slightly different, as the
module is class-based. So instead of:
@csrf_exempt
@app.route('/foobar')
def foobar():
return 'bad'
You'd use:
@csrf.exempt
@app.route('/foobar')
def foobar():
return 'bad'
The project is available on GitHub:
https://github.com/maxcountryman/flask-seasurf
And Sphinx-compiled documentation is available here:
http://packages.python.org/Flask-SeaSurf/
I'd welcome any suggestions or comments. If you want to contribute, please
make a pull request. I'll be happy to review your changes.
Cheers,
Max