1. Steve Losh
  2. flask-csrf
  3. Issues
Issue #3 new

better check for unsafe request methods / check a X-CSRF-TOKEN header

Thomas Waldmann
created an issue

currently, the check is "== 'POST'".

should it rather be "not in ['GET', 'HEAD', 'TRACE', 'OPTIONS', ]"?

also, for unsafe methods not using forms, it should (for the case that the form field get results in None) fall back to checking a http header, like X-CSRF-TOKEN that can be supplied for such cases (same content as the hidden input field value).

Comments (0)

  1. Log in to comment