config.rst

Configuration

WTF_CSRF_ENABLED	Set to False to disable all CSRF protection.
WTF_CSRF_CHECK_DEFAULT	When using the CSRF protection extension, this controls whether every view is protected by default. Default is True.
WTF_CSRF_SECRET_KEY	Random data for generating secure tokens. If this is not set then SECRET_KEY is used.
WTF_CSRF_METHODS	HTTP methods to protect from CSRF. Default is {'POST', 'PUT', 'PATCH', 'DELETE'}.
WTF_CSRF_FIELD_NAME	Name of the form field and session key that holds the CSRF token.
WTF_CSRF_HEADERS	HTTP headers to search for CSRF token when it is not provided in the form. Default is ['X-CSRFToken', 'X-CSRF-Token'].
WTF_CSRF_TIME_LIMIT	Max age in seconds for CSRF tokens. Default is 3600. If set to None, the CSRF token is valid for the life of the session.
WTF_CSRF_SSL_STRICT	Whether to enforce the same origin policy by checking that the referrer matches the host. Only applies to HTTPS requests. Default is True.
WTF_I18N_ENABLED	Set to False to disable Flask-Babel I18N support.

Recaptcha

RECAPTCHA_PUBLIC_KEY	required A public key.
RECAPTCHA_PRIVATE_KEY	required A private key. https://www.google.com/recaptcha/admin
RECAPTCHA_PARAMETERS	optional A dict of configuration options.
RECAPTCHA_HTML	optional Override default HTML template for Recaptcha.
RECAPTCHA_DATA_ATTRS	optional A dict of data- attrs to use for Recaptcha div

Logging

CSRF errors are logged at the INFO level to the flask_wtf.csrf logger. You still need to configure logging in your application in order to see these messages.