Add authentication + CSRF protection to all mutating routes #5

Open
opened 2026-06-06 19:58:10 +00:00 by tonym · 0 comments

Severity: high
Category: security
Location: app.py (all POST routes)

Problem

The app has no auth at all and no CSRF tokens. Any device on the LAN can add/wipe financial records via a single POST, and a cross-origin page can mutate data silently.

Suggested fix

Add Basic Auth (reverse proxy or Flask-HTTPAuth) with a single env-stored password, and Flask-WTF CSRF on all forms.

Filed by automated code review.

**Severity:** high **Category:** security **Location:** `app.py (all POST routes)` ### Problem The app has no auth at all and no CSRF tokens. Any device on the LAN can add/wipe financial records via a single POST, and a cross-origin page can mutate data silently. ### Suggested fix Add Basic Auth (reverse proxy or Flask-HTTPAuth) with a single env-stored password, and Flask-WTF CSRF on all forms. _Filed by automated code review._
tonym added the
security
severity:high
labels 2026-06-06 19:58:10 +00:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: bonna61/Moon-Household-Budget#5
No description provided.