Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the list of configuration variables #104

Merged
merged 2 commits into from Aug 3, 2021
Merged

Update the list of configuration variables #104

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ad3dd1b
Update the list of configuration variables
killthekitten Jul 30, 2021
66c3283
Update index.rst
killthekitten Jul 30, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
67 changes: 55 additions & 12 deletions docs/index.rst
View file
Open in desktop
Expand Up @@ -43,18 +43,61 @@ then passing your application object back to the extension, like this:
csrf = SeaSurf(app)

This extension is configurable via a set of configuration variables which can
be added to the Flask app's config file:

- `CSRF_COOKIE_NAME` for the cookie name
- `CSRF_COOKIE_TIMEOUT` for the cookie timeout
- `CSRF_COOKIE_HTTPONLY` for setting the cookie HTTPOnly flag
- `CSRF_COOKIE_SECURE` for setting the cookie secure flag
- `CSRF_COOKIE_PATH` for setting the cookie path
- `CSRF_COOKIE_DOMAIN` for setting the cookie domain
- `CSRF_COOKIE_SAMESITE` for setting the cookie samesite
- `CSRF_DISABLE` to disable CSRF prevention

Except for the last option, all values are passed verbatim to the `Response.set_cookie
be added to the Flask app's config:

.. list-table:: Title
:widths: 25 50 25
:header-rows: 1

* - Variable name
- Description
- Default

* - `CSRF_COOKIE_NAME`
- The cookie name, also used as the session variable name.
- `'_csrf_token'`

* - `CSRF_COOKIE_TIMEOUT`
- After what time the cookie expires.
- `timedelta(days=5)`

* - `CSRF_COOKIE_SECURE`
- Whether the cookie is required to be transferred over a secure connection.
- `False`

* - `CSRF_COOKIE_HTTPONLY`
- HttpOnly flag of the cookie. Whether it can be read by JS.
- `False`

* - `CSRF_COOKIE_PATH`
- Indicates a URL path that must exist in the requested URL in order to send the Cookie header
- `'/'`

* - `CSRF_COOKIE_DOMAIN`
- Setting the cookie domain.
- `None`

* - `CSRF_COOKIE_SAMESITE`
- Setting the cookie SameSite policy.
- `'Lax'`

* - `CSRF_CHECK_REFERER`
- Enable checking the `Referer` header.
- True

* - `CSRF_DISABLE`
- Disables CSRF protection globally.
- `False` unless `app.config['TESTING']` is set to `True`

* - `CSRF_HEADER_NAME`
- The header that would contain the token.
- `'X-CSRFToken'`

* - `SEASURF_INCLUDE_OR_EXEMPT_VIEWS`
- Possible values: `'exempt'`, `'include'`.
- `'exempt'`

All the values prefixed with `CSRF_COOKIE_` are passed verbatim to the `Response.set_cookie
<http://flask.pocoo.org/docs/0.12/api/#flask.Response.set_cookie>`_ method.

Corresponding code will need to be added to the templates where `POST`, `PUT`,
Expand Down