CSRF protection globally disabled (Flask-WTF)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
Flask-WTF CSRF protection is switched off with WTF_CSRF_ENABLED = False, removing token checks from every form and POST endpoint.
Why it matters
WTF_CSRF_ENABLED = False disables CSRF token validation across the whole Flask app. Every form and POST endpoint then accepts requests forged by other sites in a logged-in user's browser. This global switch is often flipped during testing and left off.
How to fix it
Set WTF_CSRF_ENABLED = True (its default) and include the CSRF token in your forms with form.hidden_tag() or {{ csrf_token() }}. If you disabled it only for a test configuration, scope that to the test settings rather than the shared config. For token-authenticated JSON APIs that do not use cookies, use a separate blueprint with CSRF exempted intentionally rather than turning it off everywhere.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo