Rule Definition
When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.

Remediation
Use Flask-WTF which enables CSRF protection by default for views using flask_wtf.FlaskForm. Do not disable CSRF protection. You can also implement CSRF token validation: create a session token, send it when creating a form, and check its value on the response sent.

Violation Code Sample

from flask import Flask

app = Flask(__name__)

@app.route("/unsafe", methods=["POST"])
def unsafe():
    name = request.form['name']
    return render_template('result.html', name=name)

Fixed Code Sample

from flask import Flask
from flask_wtf.csrf import CSRFProtect

app = Flask(__name__)
csrf = CSRFProtect(app)

@app.route("/safe", methods=["POST"])
def safe():
    name = request.form['name']
    return render_template('result.html', name=name)  # <- result.html must send csrf_token

# -- using FlaskForm --

class ProtectedForm(FlaskForm):
   ...

@app.route('/safe', methods=['POST'])
def safe():
    form = ProtectedForm()
    return render_template('register.html', name=name, form=form)  # <- protected

CWE-352: Cross-Site Request Forgery (CSRF) https://cwe.mitre.org/data/definitions/352.html OWASP Top 10:2021 - A01:2021 – Broken Access Control https://owasp.org/Top10/A01_2021-Broken_Access_Control/