Flask-WTF set time limit on CSRF token
Following your changelog link, I looked through the commit and found these lines:
if time_limit is None: time_limit = current_app.config.get('WTF_CSRF_TIME_LIMIT', 3600)
Setting app.config['WTF_CSRF_TIME_LIMIT']
to some shorter value seems to work. I have set it to 30 seconds with app.config['WTF_CSRF_TIME_LIMIT'] = 30
and the form expired after that amount of time, but I have not tried a longer value than the default.
I am not sure if you can change an app.config value on the fly in order to hack your way around not being able to set an expiration per form.