{
  "context": "This criteria evaluates how well the engineer uses Flask-WTF's time-limited CSRF token functionality to implement form protection with token expiration. The focus is on proper configuration of token time limits and correct integration of CSRF protection.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "CSRFProtect initialization",
      "description": "Uses CSRFProtect class from flask_wtf.csrf to initialize CSRF protection for the Flask application.",
      "max_score": 15
    },
    {
      "name": "Time limit configuration",
      "description": "Configures WTF_CSRF_TIME_LIMIT setting to 120 seconds (2 minutes) to control token expiration time.",
      "max_score": 25
    },
    {
      "name": "Secret key configuration",
      "description": "Sets Flask app.config['SECRET_KEY'] which is required for CSRF token signing and validation.",
      "max_score": 10
    },
    {
      "name": "Form class usage",
      "description": "Uses FlaskForm class from flask_wtf to create a form with automatic CSRF token integration.",
      "max_score": 20
    },
    {
      "name": "CSRF token rendering",
      "description": "Renders CSRF token in the form template using either form.hidden_tag() method or csrf_token() template function.",
      "max_score": 15
    },
    {
      "name": "Validation handling",
      "description": "Uses form.validate_on_submit() or form.validate() to trigger automatic CSRF token validation, which checks both token validity and expiration.",
      "max_score": 15
    }
  ]
}