CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/flask-security-basics

Security essentials for Flask APIs — CORS, Talisman security headers, rate

99

1.17x
Quality

94%

Does it follow best practices?

Impact

100%

1.17x

Average score across 10 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

task.mdevals/scenario-3/

Task: Security Review and Fix for a Flask API

A junior developer has written a Flask REST API for a restaurant ordering system. A security review has flagged concerns about the configuration. Your job is to identify the problems and produce a corrected version.

The Code Under Review

Create a file restaurant_api.py with the following content:

import os
from flask import Flask, request, jsonify
from flask_cors import CORS
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

def create_app():
    app = Flask(__name__)
    app.config['SECRET_KEY'] = 'my-super-secret-key-1234'
    app.debug = True

    # Allow all cross-origin requests
    CORS(app, resources={r"/*": {"origins": "*"}})

    # Rate limiting
    limiter = Limiter(key_func=get_remote_address, default_limits=["1000 per minute"])
    limiter.init_app(app)

    @app.route('/menu', methods=['GET'])
    def get_menu():
        return jsonify({'items': ['burger', 'pizza']})

    @app.route('/orders', methods=['POST'])
    def create_order():
        data = request.get_json()
        if data is None:
            return jsonify({'error': 'bad request'}), 400
        customer = data.get('customer_name', '').strip()
        if not customer:
            return jsonify({'error': 'customer_name required'}), 400
        return jsonify({'order_id': 42}), 201

    @app.route('/orders/<int:order_id>', methods=['DELETE'])
    def cancel_order(order_id):
        return jsonify({'cancelled': order_id})

    @app.route('/orders/<int:order_id>', methods=['PATCH'])
    def update_order(order_id):
        data = request.get_json()
        return jsonify({'updated': order_id})

    return app

if __name__ == '__main__':
    app = create_app()
    app.run()

Your Tasks

  1. Write a file security_issues.md that lists each security problem you find in the code above, with a brief explanation of why it is a problem.

  2. Write a corrected version of the file as restaurant_api_fixed.py. The fixed version must:

    • Restrict CORS to origins from an environment variable ALLOWED_ORIGINS (default http://localhost:3000), removing the wildcard.
    • Load SECRET_KEY from the SECRET_KEY environment variable instead of a hardcoded value. Add a startup guard that raises an error if the variable is missing (and the app is not in TESTING mode).
    • Set a global rate limit of no more than 200 requests per hour.
    • Apply per-route rate limits stricter than the global default on the POST, PATCH, and DELETE endpoints.
    • Disable debug mode.
    • Keep all the existing routes working correctly (no regressions).

Do not add a database, frontend, or new routes. Only fix the security issues.

evals

scenario-3

criteria.json

task.md

tile.json