Add authentication + CSRF protection to all mutating routes #5
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: high
Category: security
Location:
app.py (all POST routes)Problem
The app has no auth at all and no CSRF tokens. Any device on the LAN can add/wipe financial records via a single POST, and a cross-origin page can mutate data silently.
Suggested fix
Add Basic Auth (reverse proxy or Flask-HTTPAuth) with a single env-stored password, and Flask-WTF CSRF on all forms.
Filed by automated code review.