Pyramid CSRF Check Disabled Globally

HIGH

Detects calls to set_default_csrf_options() which can globally disable CSRF protection in Pyramid applications.

Rule Information

Language
Python
Category
Pyramid
Author
Shivasurya
Shivasurya
Last Updated
2026-03-22
Tags
pythonpyramidcsrfsecurity-misconfigurationCWE-352OWASP-A05
CWE References
CWE-352

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset python/PYTHON-PYRAMID-SEC-001 --project .
1
2
3
4
5
6
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

About This Rule

Understanding the vulnerability and how it is detected

This rule detects calls to Configurator.set_default_csrf_options() in Pyramid applications. This method controls CSRF protection globally. When called with require_csrf=False, it disables CSRF token validation across every view in the application, leaving all state-changing endpoints vulnerable to cross-site request forgery attacks.

Pyramid's CSRF protection works by requiring a valid token on POST, PUT, DELETE, and PATCH requests. Disabling it means any website can craft a form that submits to your application using the victim's browser cookies, performing actions on their behalf without their knowledge.

Security Implications

Potential attack scenarios if this vulnerability is exploited

1

Cross-Site Request Forgery on All Endpoints

With CSRF protection disabled, an attacker can create a malicious page that submits forms to your Pyramid application. When an authenticated user visits the attacker's page, their browser sends cookies automatically, and the forged request executes with the victim's session.

2

Account Takeover via Password Change

A common CSRF attack target is the password change form. The attacker's page submits a hidden form to /change-password with a new password. Without CSRF protection, the request succeeds and the attacker owns the account.

3

Compliance Violations

PCI DSS, SOC 2, and OWASP all require CSRF protection for web applications handling sensitive data. Globally disabling it will fail any security audit.

How to Fix

Recommended remediation steps

  • 1Never call set_default_csrf_options(require_csrf=False) in production. Pyramid enables CSRF protection by default.
  • 2If specific views need CSRF exemption (webhooks, API endpoints with token auth), exempt them individually with require_csrf=False in the @view_config decorator
  • 3Use Pyramid's built-in CSRF token mechanism with session.get_csrf_token() in templates
  • 4For API endpoints using Bearer token authentication, exempt per-view rather than disabling globally
  • 5Review all calls to set_default_csrf_options() in code review to confirm the configuration is intentional

Detection Scope

How Code Pathfinder analyzes your code for this vulnerability

This rule matches all calls to set_default_csrf_options() via the pattern calls("*.set_default_csrf_options"). It fires on any invocation regardless of the arguments passed, since the presence of this call warrants review.

Compliance & Standards

Industry frameworks and regulations that require detection of this vulnerability

OWASP Top 10
A05:2021 - Security Misconfiguration
CWE Top 25
CWE-352 ranked in Most Dangerous Software Weaknesses
PCI DSS v4.0
Requirement 6.2.4 - prevent cross-site request forgery attacks
NIST SP 800-53
SC-23: Session Authenticity

References

External resources and documentation

CWE-352: Cross-Site Request ForgeryPyramid CSRF Protection DocumentationOWASP CSRF Prevention Cheat SheetOWASP A05:2021 Security Misconfiguration

Similar Rules

Explore related security rules for Python

HIGH

Pyramid Direct Response XSS

Traces user input from Pyramid request objects to Response() constructors, enabling reflected cross-site scripting.

Frequently Asked Questions

Common questions about Pyramid CSRF Check Disabled Globally

Yes. Starting in Pyramid 1.7, CSRF checks are enabled by default for POST, PUT, DELETE, and PATCH. You have to explicitly disable it. This rule catches that explicit disabling.
Use require_csrf=False in the @view_config decorator for that specific view. This keeps CSRF protection active for all other views.
No. CSRF exploits cookie-based auth. If your API uses Bearer tokens in the Authorization header, CSRF is not a threat. Exempt API views individually.
Yes. Any call to set_default_csrf_options() is flagged for review to confirm the configuration is intentional.
Run: pathfinder ci --ruleset python/pyramid --project .

New feature

Get these findings posted directly on your GitHub pull requests

The Pyramid CSRF Check Disabled Globally rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works
Back to PyramidAll Languages →