Task: Harden a Flask API for Production

You have been given a minimal Flask application that currently has no security protections. Your job is to add the necessary security configuration so the app is safe to deploy to production.

Starting Point

Create the following file at app.py:

import os
from flask import Flask, request, jsonify

def create_app():
    app = Flask(__name__)
    app.config['SECRET_KEY'] = 'dev-secret-hardcoded'
    app.debug = True

    @app.route('/api/items', methods=['GET'])
    def list_items():
        return jsonify({'items': []})

    @app.route('/api/items', methods=['POST'])
    def create_item():
        data = request.get_json()
        return jsonify({'created': True}), 201

    @app.route('/api/items/<int:item_id>', methods=['DELETE'])
    def delete_item(item_id):
        return jsonify({'deleted': True})

    return app

if __name__ == '__main__':
    app = create_app()
    app.run()

Requirements

1. Add CORS support so the app only allows requests from origins listed in an ALLOWED_ORIGINS environment variable (falling back to http://localhost:5173 if the variable is not set). Do not allow all origins.

2. Add HTTP security headers using an appropriate Flask extension.

3. Add rate limiting:

   • A global default of 200 requests per hour per client IP.
   • Stricter limits on the POST and DELETE endpoints (you decide the exact numbers, but they must be more restrictive than the global default).

4. Fix the secret key so it is loaded from the SECRET_KEY environment variable. The application must raise an error at startup if the variable is missing and the app is not in testing mode.

5. Disable debug mode.

Deliverables

• app.py — the updated application file with all security measures applied.
• requirements.txt — listing every Python package needed to run the hardened app.

Do not add a frontend, database, or authentication layer. Focus solely on the security hardening described above.