Secure defaults are inherently secure libraries, frameworks, configurations, or settings. They mitigate common security concerns, such as preventing cross-site request forgery (CSRF) by properly verifying inbound requests in Django or Flask applications. By adopting secure defaults, teams minimize the need for developers to manually implement security measures. Secure default rules are Semgrep Code (SAST) rules that codify a secure default. The Semgrep team recommends deploying these rules as guardrails because the early adoption of secure defaults helps prevent additional vulnerabilities. Some secure default rules codify universally secure practices and work out of the box, while others are organization-specific and require customization. In the following example, the rule detects if a Flask WTForm view is protected from CSRF by default by checking the configuration variableDocumentation Index
Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
Use this file to discover all available pages before exploring further.
WTF_CSRF_CHECK_DEFAULT. If it is set to False then the developer must call csrf.protect() whenever they handle a request—a manual process they must remember every time. Thus, WTF_CSRF_CHECK_DEFAULT=True is a secure default, which this Semgrep rule enforces.
Semgrep Code supported languages
Semgrep Code provides secure default rules for the following languages:- C#
- Python (Flask, FastAPI, and Django frameworks)