WTF_CSRF_ENABLED |
Set to False to disable all CSRF protection. |
WTF_CSRF_CHECK_DEFAULT |
When using the CSRF protection extension, this
controls whether every view is protected by default.
Default is True . |
WTF_CSRF_SECRET_KEY |
Random data for generating secure tokens. If this is
not set then SECRET_KEY is used. |
WTF_CSRF_METHODS |
HTTP methods to protect from CSRF. Default is
{'POST', 'PUT', 'PATCH', 'DELETE'} . |
WTF_CSRF_FIELD_NAME |
Name of the form field and session key that holds the
CSRF token. |
WTF_CSRF_HEADERS |
HTTP headers to search for CSRF token when it is not
provided in the form. Default is
['X-CSRFToken', 'X-CSRF-Token'] . |
WTF_CSRF_TIME_LIMIT |
Max age in seconds for CSRF tokens. Default is
3600 . If set to None , the CSRF token is valid
for the life of the session. |
WTF_CSRF_SSL_STRICT |
Whether to enforce the same origin policy by checking
that the referrer matches the host. Only applies to
HTTPS requests. Default is True . |
WTF_I18N_ENABLED |
Set to False to disable Flask-Babel I18N support. |