security: add CSRF protection to all forms

- Add Flask-WTF dependency for CSRF protection - Initialize CSRFProtect in app.py - Add CSRF tokens to all POST forms in templates - Exempt /order JSON API endpoint (uses API key instead) This protects against Cross-Site Request Forgery attacks on all admin and user management operations. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-06 08:01:22 +01:00
parent 12eece0226
commit e062a1e836
8 changed files with 20 additions and 0 deletions
--- a/requirements.txt
+++ b/requirements.txt
@@ -0,0 +1,4 @@
+Flask>=3.0.0
+Flask-WTF>=1.2.0
+Werkzeug>=3.0.0
+gunicorn>=21.0.0