Secure defaults
Secure defaults are inherently secure libraries, frameworks, configurations, or settings. They mitigate common security concerns, such as preventing cross-site request forgery (CSRF) by properly verifying inbound requests in Django or Flask applications. By adopting secure defaults, teams minimize the need for developers to manually implement security measures.
Secure default rules are Semgrep Code (SAST) rules that codify a secure default. The Semgrep team recommends deploying these rules as guardrails because the early adoption of secure defaults helps prevent additional vulnerabilities.
Some secure default rules codify universally secure practices and work out of the box, while others are organization-specific and require customization.
In the following example, the rule detects if a Flask WTForm view is protected from CSRF by default by checking the configuration variable WTF_CSRF_CHECK_DEFAULT
. If it is set to False
then the developer must call csrf.protect()
whenever they handle a request—a manual process they must remember every time. Thus, WTF_CSRF_CHECK_DEFAULT=True
is a secure default, which this Semgrep rule enforces.
Figure. A rule that helps secure a Flask app from CSRF by default
Semgrep Code supported languages
Semgrep Code provides secure default rules for the following languages:
- C#
- Python (Flask, FastAPI, and Django frameworks)
Custom rules to deploy secure default rules can be written in any of Semgrep Code’s supported languages.
View Semgrep secure default rules
View all proprietary Semgrep secure default rules through the ruleset p/secure-defaults.
Next steps
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.