Flask Security Overview
Introduction
Security is a critical aspect of web application development. Even the most feature-rich applications are useless if they cannot protect user data and resist common attacks. Flask, as a lightweight web framework, doesn't come with all security features enabled by default, which means developers need to understand and implement proper security measures themselves.
In this guide, we'll explore the fundamental security concepts you should understand when building Flask applications, common vulnerabilities to watch out for, and best practices to keep your Flask applications secure.
Why Security Matters in Flask Applications
Flask's minimalist design philosophy means you have the freedom to structure your application as you see fit, but this also means you need to be proactive about implementing security features. Poor security practices can lead to:
- Unauthorized access to user accounts
- Data breaches exposing sensitive information
- Injection attacks that can compromise your entire system
- Defacement or destruction of your web application
- Loss of user trust and potential legal liabilities
Essential Security Concepts for Flask Applications
1. Cross-Site Scripting (XSS) Protection
Cross-Site Scripting (XSS) attacks occur when malicious scripts are injected into trusted websites. Flask's templating engine, Jinja2, automatically escapes content to prevent XSS attacks.
# Flask automatically escapes variables in templates
@app.route('/user/<username>')
def profile(username):
# Even if username contains script tags, they will be escaped
return render_template('profile.html', username=username)
In your HTML template:
<!-- This will safely escape any HTML in the username -->
<h1>Hello, {{ username }}</h1>
If you need to include unescaped HTML (which should be rare), use the |safe filter only on trusted content:
<!-- Only do this when you're absolutely sure the content is safe -->
<div>{{ trusted_html_content|safe }}</div>
2. Cross-Site Request Forgery (CSRF) Protection
CSRF attacks trick users into submitting requests they didn't intend to make. Flask-WTF provides CSRF protection:
pip install flask-wtf
Setting up CSRF protection:
from flask import Flask, render_template
from flask_wtf.csrf import CSRFProtect
app = Flask(__name__)
app.config['SECRET_KEY'] = 'a-very-secret-key' # In production, use a strong random key
csrf = CSRFProtect(app)
@app.route('/form', methods=['GET'])
def show_form():
return render_template('form.html')
@app.route('/process', methods=['POST'])
def process_form():
# The request will be automatically checked for a valid CSRF token
# If missing or invalid, a 400 Bad Request error is returned
return 'Form processed successfully!'
In your form template:
<form method="post" action="/process">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<!-- rest of your form -->
<button type="submit">Submit</button>
</form>
3. Secure Cookies and Sessions
Flask uses cookies to maintain user sessions. Always configure your application with a strong secret key:
app = Flask(__name__)
app.config['SECRET_KEY'] = 'generate-a-strong-secret-key' # Use os.urandom(24) in production
@app.route('/set_session')
def set_session():
session['username'] = 'user123'
return 'Session variable set!'
@app.route('/get_session')
def get_session():
username = session.get('username', 'Guest')
return f'Current user: {username}'
For added security with cookies:
app.config.update(
SESSION_COOKIE_SECURE=True, # Send cookies only over HTTPS
SESSION_COOKIE_HTTPONLY=True, # Prevent JavaScript access to cookies
SESSION_COOKIE_SAMESITE='Lax', # Provides CSRF protection
)
4. SQL Injection Prevention
SQL injection occurs when untrusted input is used directly in SQL queries. Flask-SQLAlchemy and other ORMs automatically protect against SQL injection:
from flask_sqlalchemy import SQLAlchemy
app = Flask(__name__)
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///site.db'
db = SQLAlchemy(app)
class User(db.Model):
id = db.Column(db.Integer, primary_key=True)
username = db.Column(db.String(80), unique=True, nullable=False)
# Safe - uses parameterized queries
@app.route('/user/<username>')
def get_user(username):
user = User.query.filter_by(username=username).first()
if user:
return f'User found: {user.username}'
return 'User not found'
If you need to write raw SQL (not recommended), always use parameterized queries:
# Safe - uses parameterized queries
@app.route('/user/<username>')
def get_user_raw(username):
cursor = db.session.execute('SELECT * FROM user WHERE username = :username',
{'username': username})
user = cursor.fetchone()
if user:
return f'User found: {user[1]}' # Assuming username is the second column
return 'User not found'
5. Password Hashing
Never store plain-text passwords. Use a dedicated library like Werkzeug (included with Flask) for password hashing:
from werkzeug.security import generate_password_hash, check_password_hash
@app.route('/register', methods=['POST'])
def register():
username = request.form['username']
password = request.form['password']
# Hash the password before storing
hashed_password = generate_password_hash(password, method='pbkdf2:sha256')
# Store username and hashed_password in database
new_user = User(username=username, password_hash=hashed_password)
db.session.add(new_user)
db.session.commit()
return 'User registered successfully'
@app.route('/login', methods=['POST'])
def login():
username = request.form['username']
password = request.form['password']
user = User.query.filter_by(username=username).first()
if user and check_password_hash(user.password_hash, password):
# Password is correct
session['user_id'] = user.id
return 'Login successful'
return 'Invalid username or password'
6. Content Security Policy (CSP)
Content Security Policy helps prevent XSS and data injection attacks by controlling what resources can be loaded:
from flask import Flask, render_template
app = Flask(__name__)
@app.after_request
def add_security_headers(resp):
resp.headers['Content-Security-Policy'] = "default-src 'self'; script-src 'self'; style-src 'self'"
return resp
@app.route('/')
def index():
return render_template('index.html')
This basic policy only allows resources to be loaded from your own domain. You can customize it further based on your application's needs.
7. Rate Limiting
Protect your endpoints from brute force attacks with rate limiting:
pip install flask-limiter
from flask import Flask
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address
app = Flask(__name__)
limiter = Limiter(
app,
key_func=get_remote_address,
default_limits=["200 per day", "50 per hour"]
)
@app.route('/login', methods=['POST'])
@limiter.limit("5 per minute") # Only 5 login attempts per minute
def login():
# Login logic
pass
Real-World Security Implementation Example
Let's build a simple but secure user authentication system combining several security concepts:
from flask import Flask, request, render_template, redirect, url_for, session, flash
from flask_sqlalchemy import SQLAlchemy
from flask_wtf.csrf import CSRFProtect
from werkzeug.security import generate_password_hash, check_password_hash
import os
app = Flask(__name__)
app.config.update(
SECRET_KEY=os.urandom(24),
SQLALCHEMY_DATABASE_URI='sqlite:///secure_site.db',
SQLALCHEMY_TRACK_MODIFICATIONS=False,
SESSION_COOKIE_SECURE=True,
SESSION_COOKIE_HTTPONLY=True,
SESSION_COOKIE_SAMESITE='Lax',
)
db = SQLAlchemy(app)
csrf = CSRFProtect(app)
# User model
class User(db.Model):
id = db.Column(db.Integer, primary_key=True)
username = db.Column(db.String(80), unique=True, nullable=False)
password_hash = db.Column(db.String(256), nullable=False)
def set_password(self, password):
self.password_hash = generate_password_hash(password)
def check_password(self, password):
return check_password_hash(self.password_hash, password)
# Add security headers to all responses
@app.after_request
def add_security_headers(resp):
resp.headers['Content-Security-Policy'] = "default-src 'self'"
resp.headers['X-Content-Type-Options'] = 'nosniff'
resp.headers['X-Frame-Options'] = 'DENY'
resp.headers['X-XSS-Protection'] = '1; mode=block'
return resp
@app.route('/')
def index():
return render_template('index.html')
@app.route('/register', methods=['GET', 'POST'])
def register():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
# Input validation (very basic)
if not username or not password or len(password) < 8:
flash('Username required and password must be at least 8 characters')
return redirect(url_for('register'))
if User.query.filter_by(username=username).first():
flash('Username already exists')
return redirect(url_for('register'))
# Create new user with hashed password
new_user = User(username=username)
new_user.set_password(password)
db.session.add(new_user)
db.session.commit()
flash('Registration successful! You can now log in.')
return redirect(url_for('login'))
return render_template('register.html')
@app.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
user = User.query.filter_by(username=username).first()
if user and user.check_password(password):
session.clear()
session['user_id'] = user.id
return redirect(url_for('dashboard'))
flash('Invalid username or password')
return render_template('login.html')
@app.route('/dashboard')
def dashboard():
if 'user_id' not in session:
flash('Please login first')
return redirect(url_for('login'))
user = User.query.get(session['user_id'])
return render_template('dashboard.html', user=user)
@app.route('/logout')
def logout():
session.clear()
flash('You have been logged out')
return redirect(url_for('index'))
if __name__ == '__main__':
with app.app_context():
db.create_all()
app.run(debug=True)
Sample login form template (login.html):
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Login</title>
</head>
<body>
<h1>Login</h1>
{% for message in get_flashed_messages() %}
<div class="alert">{{ message }}</div>
{% endfor %}
<form method="post">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div>
<label for="username">Username:</label>
<input type="text" id="username" name="username" required>
</div>
<div>
<label for="password">Password:</label>
<input type="password" id="password" name="password" required>
</div>
<button type="submit">Login</button>
</form>
<p>Don't have an account? <a href="{{ url_for('register') }}">Register here</a></p>
</body>
</html>
Security Checklist for Flask Applications
Here's a quick checklist to ensure your Flask application has the basic security measures in place:
- ✅ Use a strong, unique SECRET_KEY
- ✅ Enable CSRF protection for all forms
- ✅ Hash passwords before storing them
- ✅ Set secure flags on cookies (Secure, HttpOnly, SameSite)
- ✅ Use parameterized queries (preferably with an ORM)
- ✅ Implement proper input validation
- ✅ Add security headers (CSP, X-Frame-Options, etc.)
- ✅ Implement rate limiting for sensitive endpoints
- ✅ Keep Flask and its dependencies up to date
- ✅ Use HTTPS in production
Summary
Securing a Flask application involves implementing protections against various attack vectors, from cross-site scripting to SQL injection. While Flask's minimalist design doesn't include all security features out-of-the-box, the ecosystem provides the tools necessary to build secure web applications.
Remember that security is not a one-time task but an ongoing process. Regularly update your dependencies, review your code for security issues, and stay informed about new vulnerabilities and best practices.
Additional Resources
- Flask Security Documentation
- OWASP Top Ten Web Application Security Risks
- Flask-Security Extension
- Flask-Talisman - HTTP security headers for Flask
Exercises
- Implement a password reset functionality with proper security measures (time-limited tokens, email verification).
- Create a secure API endpoint that requires authentication with JSON Web Tokens (JWT).
- Add two-factor authentication to the login system we built in this guide.
- Perform a security audit on an existing Flask application and identify potential vulnerabilities.
- Implement proper file upload security measures to prevent malicious file uploads.
By following these principles and practices, you'll be well on your way to building secure Flask applications that protect your users' data and maintain their trust.
If you spot any mistakes on this website, please let me know at feedback@compilenrun.com. I’d greatly appreciate your feedback! :)