CTFd is a Python-based open-source Capture The Flag (CTF) web app. I wanted to use it in a context where I didn't want to collect email addresses of the registering users. To archive this, I decided to take the easy way and hack myself around the problem: just hide the email-field in the registration form and generate a random address for every registration. Show me the code!


Recently I once again stumbled upon a detail of the HTTP specification involving the POST verb and "enforced" https. I'll document it here in an attempt to save other people the time (hopefully also future-me). Do you want to know more?


Flask pretty-prints response generated by the flask.json.jsonify function. Avoiding this on a per request basis doesn't seem to be intended: There is a configuration variable for the whole application: JSONIFY_PRETTYPRINT_REGULAR. But setting that to False minifies every JSON responses. And, in general, I enjoyed the pretty printed output. So implementing X-PrettyPrint - which seems to be a quasi-standard - also sounded like a the wrong way because it means replacing the call to jsonify by a custom implementation. This short story has a happy end though: Flask does not pretty-print the response if it receives an AJAX request. So one can just send the appropriate header:
curl -H 'X-Requested-With: XMLHttpRequest' "https://exmaple.com/api/endpoint.json";


Spoiler: My main point in this post is not given away by the title. But first things first: What are all those words? Would you like to know more?