Add CSRF time limit validation and warning when CSRF is disabled #1019
Description
Description
The CSRF configuration in `app.py` allows disabling CSRF protection via environment variable without any warning, and doesn't validate that the CSRF time limit is reasonable.
Affected File
- `app.py` (lines 270-295)
Current Code
```python
csrf_enabled = os.getenv("CSRF_ENABLED", "TRUE").upper() == "TRUE"
app.config["WTF_CSRF_ENABLED"] = csrf_enabled
csrf_time_limit = os.getenv("CSRF_TIME_LIMIT", "").strip()
if csrf_time_limit:
try:
app.config["WTF_CSRF_TIME_LIMIT"] = int(csrf_time_limit) # No max/min validation
except ValueError:
app.config["WTF_CSRF_TIME_LIMIT"] = None
```
What to Do
- Add a logger warning when CSRF is disabled
- Add min/max validation for CSRF_TIME_LIMIT (e.g., 300-86400 seconds)
```python
if not csrf_enabled:
logger.warning("CSRF protection is DISABLED. This is not recommended for production.")
if csrf_time_limit:
try:
limit = int(csrf_time_limit)
if limit < 300:
logger.warning(f"CSRF_TIME_LIMIT={limit}s is very short. Minimum recommended: 300s")
elif limit > 86400:
logger.warning(f"CSRF_TIME_LIMIT={limit}s is very long. Maximum recommended: 86400s")
app.config["WTF_CSRF_TIME_LIMIT"] = limit
except ValueError:
logger.warning(f"Invalid CSRF_TIME_LIMIT: {csrf_time_limit}. Using default.")
app.config["WTF_CSRF_TIME_LIMIT"] = None
```
Skills You'll Learn
- CSRF protection concepts
- Configuration validation patterns
- Security logging