# Client-Controlled Authorization Data

- ID: python-client-controlled-authorization
- Severity: CRITICAL
- CWE: CWE-807 (CWE-807)
- Languages: Python
- Frameworks: django, flask, fastapi

## Description

Detects authorization decisions based on client-controllable data such as
cookies, query parameters, or form fields.

## Remediation

Use server-side session state for authorization decisions.

```python
if not request.user.is_staff:  # From session, not cookies
    return HttpResponseForbidden()
```

Learn more: https://shoulder.dev/learn/python/cwe-807/client-controlled-authorization

## Documentation

[object Object]