Insuficient entropy in CSRF token

[randomstuff]

The CSRF token is using 64 bits of entropy :

sha256 = hashlib.sha256()
sha256.update(os.urandom(8))
token = sha256.hexdigest().encode(ENCODING)
response.set_cookie(token_name, token, path=path,
                                  secret=secret, max_age=expires)
request.csrf_token = token.decode(ENCODING)

Apparently, the 128 bits of entropy is considered a minimum these days, the OWASP example is using 512 bits of entropy.

[randomstuff]

By the way I don't think using SHA256 is any useful here. You could just as well keep the original random bytes. You won't get any extra entropy by hashing it.