Initialize CSRFProtect and ProxyFix for HF Spaces

web_app/__init__.py

@@ -6,6 +6,7 @@ from flask_sqlalchemy import SQLAlchemy
 from flask_login import LoginManager
 from flask_migrate import Migrate
 from flask_cors import CORS
+from flask_wtf.csrf import CSRFProtect
 from config import Config
 from werkzeug.middleware.proxy_fix import ProxyFix
 
@@ -14,17 +15,21 @@ login_manager = LoginManager()
 login_manager.login_view = 'auth.login'  # Route for @login_required
 login_manager.login_message_category = 'info'
 migrate = Migrate()
+csrf = CSRFProtect()
 
 
 def create_app(config_class=Config):
     app = Flask(__name__)
     app.config.from_object(config_class)
 
-    # If the app is running behind a proxy (like on Render), fix the WSGI environment
-    if os.environ.get('RENDER'):
+    # If the app is running behind a proxy (like on Render or HF Spaces), fix the WSGI environment
+    if os.environ.get('RENDER') or os.environ.get('SPACE_ID'):
         app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1,
                                 x_proto=1, x_host=1, x_prefix=1)
 
+    # Initialize CSRF protection
+    csrf.init_app(app)
+
     # Enable CORS for all routes
     # This allows requests from Codespace frontend and mobile app
     allowed_origins = [