Configuration

WTF_CSRF_ENABLED Set to False to disable all CSRF protection.
WTF_CSRF_CHECK_DEFAULT When using the CSRF protection extension, this controls whether every view is protected by default. Default is True.
WTF_CSRF_SECRET_KEY Random data for generating secure tokens. If this is not set then SECRET_KEY is used.
WTF_CSRF_METHODS HTTP methods to protect from CSRF. Default is {'POST', 'PUT', 'PATCH', 'DELETE'}.
WTF_CSRF_FIELD_NAME Name of the form field and session key that holds the CSRF token.
WTF_CSRF_HEADERS HTTP headers to search for CSRF token when it is not provided in the form. Default is ['X-CSRFToken', 'X-CSRF-Token'].
WTF_CSRF_TIME_LIMIT Max age in seconds for CSRF tokens. Default is 3600. If set to None, the CSRF token is valid for the life of the session.
WTF_CSRF_SSL_STRICT Whether to enforce the same origin policy by checking that the referrer matches the host. Only applies to HTTPS requests. Default is True.
WTF_I18N_ENABLED Set to False to disable Flask-Babel I18N support.

Recaptcha

RECAPTCHA_USE_SSL Enable/disable recaptcha through SSL. Default is False.
RECAPTCHA_PUBLIC_KEY required A public key.
RECAPTCHA_PRIVATE_KEY required A private key. https://www.google.com/recaptcha/admin
RECAPTCHA_OPTIONS optional A dict of configuration options.

Logging

CSRF errors are logged at the INFO level to the flask_wtf.csrf logger. You still need to configure logging in your application in order to see these messages.