Security

Warning

Flask is a micro-framework and does not provide all security features out of the box. It is important to configure security settings for your application.

Flask configuration

Please refer to documentation for Flask, OWASP, and other resources such as MDN for the latest information on best practice.

Consider the following Flask configurations in production:

Setting	Consideration
SESSION_COOKIE_SECURE	Set to True if your application is served over HTTPS.
SESSION_COOKIE_NAME	Use __Secure- or __Host- prefix according to MDN docs.
SESSION_COOKIE_SAMESITE	Use Lax or Strict

You can use a security plugin such as Flask-Talisman to set these and more.

Storage

Take care to secure your storage and storage client connection. For example, setup SSL/TLS and storage authentication.

Session fixation

Session fixation is an attack that permits an attacker to hijack a valid user session. The attacker can fixate a user’s session by providing them with a session identifier. The attacker can then use the session identifier to impersonate the user. As one tool among others that can mitigate session fixation, is regenerating the session identifier when a user logs in. This can be done by calling the flask.Flask.session_interface.regenerate() method. This method is defined in flask_session.base.ServerSideSession.

@app.route('/login')
def login():
    # your login logic ...
    app.session_interface.regenerate(session)
    # your response ...