Implement CSRF

app/app.py

@@ -3,10 +3,12 @@
 """Flask web server."""
 
 from flask import Flask, render_template, request
+from flask_wtf.csrf import CSRFProtect
 from app.send_page import send_page
 
 
 app = Flask(__name__)
+csrf = CSRFProtect(app)
 
 @app.route("/", methods=['GET'])
 def index():

app/main.py

@@ -2,11 +2,15 @@
 
 """Main module."""
 
-from app.app import app
+import os
+
+from app.app import app, csrf
 
 
 def main():
     """Run the app."""
+    app.secret_key = os.urandom(12).hex()
+    csrf.init_app(app)
     app.run()
 
 

app/templates/index.html

@@ -24,7 +24,7 @@
     <div class="container">
         <header class="d-flex flex-wrap justify-content-center py-3 mb-4 border-bottom">
           <a href="/" class="d-flex align-items-center mb-3 mb-md-0 me-md-auto text-dark text-decoration-none">
-            <img src="{{ url_for('static', filename='msg.png') }}" class="bi me-2" height="32"/>
+            <img alt="ePage logo" src="{{ url_for('static', filename='msg.png') }}" class="bi me-2" height="32"/>
             <span class="fs-4">ePage</span>
           </a>
         </header>
@@ -63,6 +63,7 @@
           </div>
         </div>
         <br>
+        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
       <button class="btn btn-primary" type="submit">Submit</button>
     </form>
     

requirements.txt

@@ -2,6 +2,7 @@ certifi==2022.6.15
 charset-normalizer==2.1.0
 click==8.1.3
 Flask==2.1.2
+flask_wtf-1.0.1
 idna==3.3
 itsdangerous==2.1.2
 Jinja2==3.1.2
@@ -9,3 +10,4 @@ MarkupSafe==2.1.1
 requests==2.28.1
 urllib3==1.26.10
 Werkzeug==2.1.2
+WTForms-3.0.1

tests/__init__.py

@@ -2,13 +2,16 @@
 
 """PyTest unit tests."""
 
+import os
 import pytest
 
-from app.app import app
+from app.app import app, csrf
 
 
 @pytest.fixture
 def client():
     """Set up Flask client for use in tests."""
+    app.secret_key = os.urandom(12).hex()
+    csrf.init_app(app)
     client = app.test_client()
     yield client