Name: tessl-labs/flask-security-basics
Rating: 99.4 (1 reviews)
Author: tessl-labs

Blog Docs Log in Get started

tessl-labs/flask-security-basics

Security essentials for Flask APIs — CORS, Talisman security headers, rate

1.17x

Quality

94%

Does it follow best practices?

Impact

100%

1.17x

Average score across 10 eval scenarios

Securityby

Passed

No known issues

Evaluation results

100%

Task: Add Input Validation to a Flask POST Endpoint

Criteria

Without context

With context

get_json(silent=True) used

100%

None body returns 400

100%

title presence check

100%

title max length check

100%

title stripped

100%

author presence check

100%

author max length check

100%

year type and range check

100%

tags list type check

100%

tags element check

100%

400 JSON error response

100%

Valid request succeeds

100%

Task: Harden a Flask API for Production

Criteria

Without context

With context

CORS extension used

100%

No wildcard CORS

100%

CORS env var origins

100%

Talisman / security headers

100%

Rate limiter initialized

100%

Global rate limit 200/hour

100%

POST endpoint rate limited

100%

DELETE endpoint rate limited

100%

SECRET_KEY from env

100%

Startup check for SECRET_KEY

100%

Debug mode disabled

100%

requirements.txt present

100%

Task: Security Review and Fix for a Flask API

Criteria

Without context

With context

Wildcard CORS identified

100%

Hardcoded secret identified

100%

Debug mode identified

100%

Permissive rate limit identified

100%

Missing per-route limits identified

100%

CORS fixed with env var

100%

SECRET_KEY from env

100%

SECRET_KEY startup guard

100%

Global rate limit corrected

100%

POST route limited

100%

PATCH route limited

100%

DELETE route limited

100%

Debug mode disabled

100%

Routes preserved

100%

Both files present

100%

34%

Adding Security Headers to a Proxy-Deployed Flask API

Talisman security headers behind reverse proxy

Criteria

Without context

With context

Talisman imported

100%

Talisman instantiated

71%

100%

Talisman applied to app

100%

force_https=False

100%

session_cookie_secure=True

50%

100%

session_cookie_http_only=True

50%

100%

flask-talisman in requirements

100%

Original routes preserved

100%

No force_https=True

100%

Fixing Information Leakage in Error Responses

Secure JSON error handlers

Criteria

Without context

With context

500 handler registered

100%

500 returns generic message

100%

500 returns correct status code

100%

No str(e) in 500 response

100%

app.logger.exception() called

66%

100%

404 handler registered

100%

404 returns JSON

100%

404 returns correct status code

100%

Original routes preserved

100%

37%

Refactoring Flask Extensions for an Application Factory

Application factory extension init_app pattern

Criteria

Without context

With context

create_app function defined

100%

CORS init_app used

100%

Talisman init_app used

100%

Talisman force_https=False preserved

100%

Limiter init_app used

100%

CORS origins preserved

100%

SECRET_KEY guard inside factory

87%

100%

Original routes preserved

100%

No module-level app = Flask(...)

100%

Redis storage_uri preserved

100%

44%

Production Deployment: Rate Limiter Acting Strangely

Criteria

Without context

With context

ProxyFix imported

100%

ProxyFix applied

100%

ProxyFix x_for=1

100%

ProxyFix x_proto=1 and x_host=1

100%

Redis storage_uri present

100%

No in-memory default

100%

IP diagnosis mentioned

100%

Multi-worker diagnosis mentioned

100%

Redis fix rationale

100%

requirements.txt present

100%

Existing routes preserved

100%

Adding Login Sessions to an Internal Flask API

Criteria

Without context

With context

SESSION_COOKIE_SECURE=True

100%

SESSION_COOKIE_HTTPONLY=True

100%

SESSION_COOKIE_SAMESITE='Lax'

100%

user_id stored in session

100%

role NOT in session

100%

hr_api_token NOT in session

100%

salary_band NOT in session

100%

password NOT in session

100%

me endpoint uses session

100%

logout clears session

100%

Evaluated: 18 days ago
Agent: Claude Code
Model: Claude Sonnet 4.6

Table of Contents

Task: Add Input Validation to a Flask POST Endpoint Task: Harden a Flask API for Production Task: Security Review and Fix for a Flask API Adding Security Headers to a Proxy-Deployed Flask API Fixing Information Leakage in Error Responses Refactoring Flask Extensions for an Application Factory Production Deployment: Rate Limiter Acting Strangely Adding Login Sessions to an Internal Flask API