def test_app(global_config, **settings): config = Configurator(settings=settings) config.include('tomb_csrf') # Safe routes # "GET", "HEAD", "OPTIONS", "TRACE" config.add_route('GET', '/get', request_method='GET') config.add_route('HEAD', '/head', request_method='HEAD') config.add_route('OPTIONS', '/options', request_method='OPTIONS') config.add_route('TRACE', '/trace', request_method='TRACE') # Unsafe routes # POST, PUT, DELETE config.add_route('POST', '/post', request_method='POST') config.add_route('PUT', '/put', request_method='PUT') config.add_route('DELETE', '/delete', request_method='DELETE') # Exempt Routes config.add_route('csrf_exempt', '/exempt') config.add_route('global_origin', '/global_origin') config.add_route('scoped_origin', '/scoped_origin') # Allowed Origin Route routes = [ 'GET', 'HEAD', 'OPTIONS', 'TRACE', 'POST', 'PUT', 'DELETE', 'csrf_exempt', 'scoped_origin', 'global_origin' ] for route in routes: config.add_view(test_view, route_name=route) # disable csrf on a single route config.disable_csrf('csrf_exempt') # adds a global allowed origin config.add_csrf_origin('localmonkey.com') # adds an origin for a single route config.add_csrf_origin('remotemonkey.com', 'scoped_origin') config.set_origin_schemes(['http', 'https']) return config.make_wsgi_app()