Will It Vibe logoWill It Vibe?
AUTHZ-011Medium severity-8 points

CSRF protection globally disabled (Flask-WTF)

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

Flask-WTF CSRF protection is switched off with WTF_CSRF_ENABLED = False, removing token checks from every form and POST endpoint.

Why it matters

WTF_CSRF_ENABLED = False disables CSRF token validation across the whole Flask app. Every form and POST endpoint then accepts requests forged by other sites in a logged-in user's browser. This global switch is often flipped during testing and left off.

How to fix it

Set WTF_CSRF_ENABLED = True (its default) and include the CSRF token in your forms with form.hidden_tag() or {{ csrf_token() }}. If you disabled it only for a test configuration, scope that to the test settings rather than the shared config. For token-authenticated JSON APIs that do not use cookies, use a separate blueprint with CSRF exempted intentionally rather than turning it off everywhere.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks