Configuration
*************

+----------------------------+-------------------------------------------------------+
| "WTF_CSRF_ENABLED"         | Set to "False" to disable all CSRF protection.        |
|                            | Default is "True".                                    |
+----------------------------+-------------------------------------------------------+
| "WTF_CSRF_CHECK_DEFAULT"   | When using the CSRF protection extension, this        |
|                            | controls whether every view is protected by default.  |
|                            | Default is "True".                                    |
+----------------------------+-------------------------------------------------------+
| "WTF_CSRF_SECRET_KEY"      | Random data for generating secure tokens. If this is  |
|                            | not set then "SECRET_KEY" is used.                    |
+----------------------------+-------------------------------------------------------+
| "WTF_CSRF_METHODS"         | HTTP methods to protect from CSRF. Default is         |
|                            | "{'POST', 'PUT', 'PATCH', 'DELETE'}".                 |
+----------------------------+-------------------------------------------------------+
| "WTF_CSRF_FIELD_NAME"      | Name of the form field and session key that holds the |
|                            | CSRF token. Default is "csrf_token".                  |
+----------------------------+-------------------------------------------------------+
| "WTF_CSRF_HEADERS"         | HTTP headers to search for CSRF token when it is not  |
|                            | provided in the form. Default is "['X-CSRFToken', 'X  |
|                            | -CSRF-Token']".                                       |
+----------------------------+-------------------------------------------------------+
| "WTF_CSRF_TIME_LIMIT"      | Max age in seconds for CSRF tokens. Default is        |
|                            | "3600". If set to "None", the CSRF token is valid for |
|                            | the life of the session.                              |
+----------------------------+-------------------------------------------------------+
| "WTF_CSRF_SSL_STRICT"      | Whether to enforce the same origin policy by checking |
|                            | that the referrer matches the host. Only applies to   |
|                            | HTTPS requests. Default is "True".                    |
+----------------------------+-------------------------------------------------------+
| "WTF_I18N_ENABLED"         | Set to "False" to disable Flask-Babel I18N support.   |
|                            | Also set to "False" if you want to use WTForms's      |
|                            | built-in messages directly, see more info here.       |
|                            | Default is "True".                                    |
+----------------------------+-------------------------------------------------------+


Recaptcha
=========

+-----------------------------+-------------------------------------------------------+
| "RECAPTCHA_PUBLIC_KEY"      | **required** A public key.                            |
+-----------------------------+-------------------------------------------------------+
| "RECAPTCHA_PRIVATE_KEY"     | **required** A private key.                           |
|                             | https://www.google.com/recaptcha/admin                |
+-----------------------------+-------------------------------------------------------+
| "RECAPTCHA_PARAMETERS"      | **optional** A dict of configuration options.         |
+-----------------------------+-------------------------------------------------------+
| "RECAPTCHA_HTML"            | **optional** Override default HTML template for       |
|                             | Recaptcha.                                            |
+-----------------------------+-------------------------------------------------------+
| "RECAPTCHA_DATA_ATTRS"      | **optional** A dict of "data-" attrs to use for       |
|                             | Recaptcha div                                         |
+-----------------------------+-------------------------------------------------------+
| "RECAPTCHA_SCRIPT"          | **optional** Override the default captcha script URI  |
|                             | in case an alternative service to reCAPtCHA, e.g.     |
|                             | hCaptcha is used. Default is                          |
|                             | "'https://www.google.com/recaptcha/api.js'"           |
+-----------------------------+-------------------------------------------------------+
| "RECAPTCHA_DIV_CLASS"       | **optional** Override the default class of the        |
|                             | captcha div in case an alternative captcha service is |
|                             | used. Default is "'g-recaptcha'"                      |
+-----------------------------+-------------------------------------------------------+
| "RECAPTCHA_VERIFY_SERVER"   | **optional** Override the default verification server |
|                             | in case an alternative service is used. Default is    |
|                             | "'https://www.google.com/recaptcha/api/siteverify'"   |
+-----------------------------+-------------------------------------------------------+


Logging
=======

CSRF errors are logged at the "INFO" level to the "flask_wtf.csrf"
logger. You still need to configure logging in your application in
order to see these messages.
