Flask-WTF, by default, provides a form that is CSRF-protected. If we have a look at the recipes until now, we will notice that we have explicitly told our form to not be CSRF-protected. We just have to remove the corresponding statement to enable CSRF.

So, form = ProductForm(csrf_enabled=False) will become form = ProductForm().

Some configuration bits also need to be done in our application:

app.config['WTF_CSRF_SECRET_KEY'] = 'random key for form' 

By default, the CSRF key is the same as our application's secret key.

With CSRF enabled, we will have to provide an additional field in our forms; this is a hidden field and contains the CSRF token. WTForms takes care of the hidden field for us, and we just have to add {{ form.csrf_token ...