{"id":23752,"library":"flask-seasurf","title":"Flask-SeaSurf","description":"Flask-SeaSurf is an updated CSRF protection extension for Flask applications. It provides cross-site request forgery prevention via tokens, with support for AJAX requests, cookie-based tokens, and exclusion patterns. Version 2.0.0 is the latest release, with maintenance as needed.","status":"active","version":"2.0.0","language":"python","source_language":"en","source_url":"https://github.com/maxcountryman/flask-seasurf","tags":["flask","csrf","security","extension"],"install":[{"cmd":"pip install flask-seasurf","lang":"bash","label":"Install from PyPI"}],"dependencies":[],"imports":[{"note":"Flask extensions were renamed; flask.ext.* is deprecated since Flask 0.12 and removed in Flask 2.0.","wrong":"from flask.ext.seasurf import SeaSurf","symbol":"SeaSurf","correct":"from flask_seasurf import SeaSurf"}],"quickstart":{"code":"from flask import Flask\nfrom flask_seasurf import SeaSurf\n\napp = Flask(__name__)\napp.secret_key = 'your-secret-key'\n\ncsrf = SeaSurf(app)\n\n@app.route('/')\ndef index():\n    return '''<form action=\"/submit\" method=\"post\">\n        <input type=\"hidden\" name=\"_csrf_token\" value=\"{{ csrf_token() }}\">\n        <input type=\"submit\">\n    </form>'''\n\n@app.route('/submit', methods=['POST'])\ndef submit():\n    return 'OK'\n\nif __name__ == '__main__':\n    app.run()","lang":"python","description":"Initialize SeaSurf with the Flask app and include {{ csrf_token() }} in forms."},"warnings":[{"fix":"Update templates to render csrf_token() or decorate routes with @csrf.add_csrf_token.","message":"In version 2.0.0, the CSRF token is no longer automatically injected into responses. You must manually include {{ csrf_token() }} in your templates or use the `add_csrf_token` decorator.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"Update any client-side code that reads the cookie, or configure the cookie name via CSRF_COOKIE_NAME.","message":"Flask-SeaSurf 2.0.0 changed the default token cookie name from 'csrf_token' to '_csrf_token' to avoid conflicts with other frameworks.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"Set app.secret_key or SECRET_KEY config before initializing SeaSurf.","message":"SeaSurf requires `SECRET_KEY` to be set on the app, otherwise it raises a RuntimeError on initialization.","severity":"gotcha","affected_versions":"all"},{"fix":"Include the token in a header like X-CSRFToken with the same value as the cookie or template token.","message":"When using AJAX, the token must be sent via the X-CSRFToken header (or configured header). SeaSurf does not check POST body tokens by default for AJAX requests.","severity":"gotcha","affected_versions":"all"}],"env_vars":null,"last_verified":"2026-05-01T00:00:00.000Z","next_check":"2026-07-30T00:00:00.000Z","problems":[{"fix":"Change import to 'from flask_seasurf import SeaSurf'.","cause":"Using the deprecated flask.ext.seasurf namespace, removed in Flask 2.0.","error":"ImportError: cannot import name 'SeaSurf' from 'flask.ext.seasurf'"},{"fix":"Add 'app.secret_key = \"your-secret-key\"' before initializing SeaSurf.","cause":"Flask app does not have SECRET_KEY configured.","error":"RuntimeError: A secret key is required to use CSRF."}],"ecosystem":"pypi","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}