Cross-Site Request Forgery (CSRF)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The global CSRF (Cross-Site Request Forgery) protection in your Pyramid application has been disabled by setting ‘require_csrf=False’ in the configuration. This means that incoming requests are not checked for valid CSRF tokens, leaving endpoints unprotected.
Impact#
Without CSRF protection, attackers can trick authenticated users into performing unwanted actions (like changing account settings or making transactions) without their consent. This can lead to unauthorized access, data manipulation, or compromise of user accounts, undermining both user trust and application security.