0

Using Python/Flask hosted on Heroku (using SSL with some other additional security features) I'm having an issue where users using a proxy browser extension proxy (usually regular proxy servers that are on before the browser is open are fine) are causing missing CSRF token errors when users submit forms.

The only thing I can find online about this issue is https://nickjanetakis.com/blog/fix-missing-csrf-token-issues-with-flask but I can't mess with the config as referenced here.

Everything works fine if the proxy is on your machine (not a chrome web browser proxy).

Has anyone had this issue before? The only information I can find references if your server is on a proxy, not your user...

Thanks for your insights and help!

Robert Guice
  • 609
  • 1
  • 5
  • 12
  • Update: The error can be pinpointed to the proxy setting "Disable website referrer". – Robert Guice Nov 29 '18 at 23:09
  • The csrf tokens can only be used once and are limited in time. Are you using wtforms? maybe you can increase the lifetime with https://flask-wtf.readthedocs.io/en/stable/config.html (or disable it, which causes a security issue however) – Tohmaxxx Nov 30 '18 at 08:22
  • It's not a timeout factor... It works just fine without a browser based proxy. When it disables the website referrer, it hides the header and I guess it appears as though the data was sent from a different server so the CSRF token comes back blank? – Robert Guice Dec 01 '18 at 13:49
  • Maybe set WTF_CSRF_SSL_STRICT to false? Otherwise, print() and compare the incoming headers to debug the problem. – Tohmaxxx Dec 02 '18 at 14:19

0 Answers0