Flask is a micro-framework and does not provide all security features out of the box. It is important to configure security settings for your application.

Flask configuration#

Please refer to documentation for Flask, OWASP, and other resources such as MDN for the latest information on best practice.

Consider the following Flask configurations in production:




Set to True if your application is served over HTTPS.


Use __Secure- or __Host- prefix according to MDN docs.


Use Lax or Strict

You can use a security plugin such as Flask-Talisman to set these and more.


Take care to secure your storage and storage client connection. For example, setup SSL/TLS and storage authentication.

Session fixation#

Session fixation is an attack that permits an attacker to hijack a valid user session. The attacker can fixate a user’s session by providing them with a session identifier. The attacker can then use the session identifier to impersonate the user. As one tool among others that can mitigate session fixation, is regenerating the session identifier when a user logs in. This can be done by calling the flask.Flask.session_interface.regenerate() method. This method is defined in flask_session.base.ServerSideSession.

def login():
    # your login logic ...
    # your response ...