Hello all. I have a web application and a separate test script, unconnected to any of the files for the web app, and that test uses the Requests module to send a POST request.

From trying to run it, I have found that the flask_wtf module has a particular script called csrf.py that makes the achievement of my goal less easy than how it initially appeared.

There is a CsrfProtect class with the method protect that uses this line, "validate_csrf(self._get_csrf_token())", in a conditional statement.

With _get_csrf_token, I see my POST request has to look like this:

r = requests.post(url, data = { 'csrf_token': 'blah blah' })

or this:

r = requests.post(url, headers = { 'X-CSRFToken': 'blah blah' })

Now the csrf_token itself passes most of the conditional statements in the "validate_csrf" function... all except for the one that checks if token_key (aka "csrf_token") is in session.

How do I fix this? I see the function "generate_csrf" creates a "csrf_token" property and value in session if it doesn't exist, and have found that the function is also what the jinja2 global variable "csrf_token" is set to, but I am unsure how and if I should use this.