{
  "context": "This criteria evaluates how well the engineer uses Flask-WTF to implement CSRF protection at both the application and form levels, focusing on the short-circuit validation capability between CSRFProtect extension and FlaskForm.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "CSRFProtect initialization",
      "description": "Uses CSRFProtect class from flask_wtf.csrf to initialize global CSRF protection for the application (e.g., csrf = CSRFProtect(app) or csrf.init_app(app))",
      "max_score": 20
    },
    {
      "name": "FlaskForm usage",
      "description": "Creates a form class that inherits from FlaskForm (from flask_wtf import FlaskForm) to enable form-level CSRF protection with automatic short-circuit validation",
      "max_score": 25
    },
    {
      "name": "Form field definitions",
      "description": "Properly defines form fields using WTForms field classes (StringField, PasswordField, etc.) and validators (DataRequired, Email, EqualTo, etc.) within the FlaskForm subclass",
      "max_score": 15
    },
    {
      "name": "Form validation",
      "description": "Uses form.validate_on_submit() or combination of form.is_submitted() and form.validate() to check form submission and perform validation including CSRF token validation",
      "max_score": 15
    },
    {
      "name": "CSRF exemption",
      "description": "Uses @csrf.exempt decorator (or csrf.exempt() method) from the CSRFProtect instance to exempt the health check endpoint from CSRF validation",
      "max_score": 15
    },
    {
      "name": "CSRF token rendering",
      "description": "Includes CSRF token in the form using form.hidden_tag() or form.csrf_token in the template/response for GET requests to /register",
      "max_score": 10
    }
  ]
}