Security#
Warning
Flask is a micro-framework and does not provide all security features out of the box. It is important to configure security settings for your application.
Flask configuration#
Please refer to documentation for Flask, OWASP, and other resources such as MDN for the latest information on best practice.
Consider the following Flask configurations in production:
Setting |
Consideration |
---|---|
SESSION_COOKIE_SECURE |
Set to |
SESSION_COOKIE_NAME |
Use |
SESSION_COOKIE_SAMESITE |
Use |
You can use a security plugin such as Flask-Talisman to set these and more.
Storage#
Take care to secure your storage and storage client connection. For example, setup SSL/TLS and storage authentication.
Session fixation#
Session fixation is an attack that permits an attacker to hijack a valid user session. The attacker can fixate a user’s session by providing them with a session identifier. The attacker can then use the session identifier to impersonate the user.
As one tool among others that can mitigate session fixation, is regenerating the session identifier when a user logs in. This can be done by calling the flask.Flask.session_interface.regenerate()
method. This method is defined in flask_session.base.ServerSideSession
.
@app.route('/login')
def login():
# your login logic ...
app.session_interface.regenerate(session)
# your response ...