[swinglock]

Am I correct to interpret this as it's up to the app developer not to put any features that do anything of any importance in the web interface, because one should operate under the assumption that it's not only the logged on user in front of the computer (even when address='127.0.0.1') that can press the buttons?

Unless I'm completely misunderstanding I don't agree that is at all comparable with the security model expected of a "standard desktop gui framework" nor safe.

Though indeed if there are large, random and unpredictable IDs required to perform actions it may defeat or make the attack difficult.

[dddomodossola]

you are correct it could be theoretically pressed by someone else, but it should be really difficult because of the unpredictability of IDs. It should be simpler to attack flask or django based webinterfaces. doesn't it?

[swinglock]

Unpredictability is an inconvenience. Django and Flask does feature reliable protection.

https://docs.djangoproject.com/en/stable/ref/csrf/

https://flask-wtf.readthedocs.io/en/stable/csrf.html

[dddomodossola]

thank you for the advice. it should be pretty simple to protect an app from that kind of attacks. however this doesn't mean that remi is a safe web framework. personally I feel like @nicolaslem (look at his comment).

[swinglock]

nicolaslem recommended hosting behind a reverse proxy. That has nothing to do with the issue.

My recommendation is you read up on the subject and I'll leave it at that. You have been given everything needed to search for more information.