Flask Series: Security

In this blog post I will describe how to secure your Flask application.

Cross Site Scripting or XSS is an attack that tries to have your website or application load a malicious script in the browser. This script can try access user’s credentials data, get cookie information, modify settings, download bits, etc.. One way to avoid this attack is to escape text and to validate user input.

By default Flask configures Jinja2 to auto escape all values loaded in the page.

where the jinja2.ext.autoescape extension depends on

This could lead to some performance overhead. You still have to consider several scenarios where you should be careful:
– avoid generating html without Jinja2;
– avoid sending out data from uploaded files;
– avoid using the Markup class on not verified data sent by a user;
– always quote the attributes values in your templates, when Jinja expressions are used within, otherwise an attacker could easily inject either JavaScript code or CSS. More information on CSS injection;

Additional information about the XSS attacks can be found here.

Cross-Site Request Forgery or CSRF is an attack that uses the user’s authentication credentials to execute unwanted actions.

In order to secure your application against CSRF is to use a random string and to verify it against a hidden field. The complete code snippet can be found here.

Additional information about CSRF attacks can be found here.

SQL Injection
SQL Injection is an attack where users can inject SQL commands via user input form and have them executed on the server. This SQL commands could do everything: read sensitive data, modify the database data, perform administrative tasks against the database server. Your application can be exposed to this attack when you dynamically create SQL statements (concatenating data based on user’s input), etc. By default SQL Alchemy quotes special characters – semicolons or apostrophes.

Authentication and Authorization
Authentication is a process that verifies the user’s identity, by validating his / her credential (username / email, password) against a given authority.  Authorization process verifies whether the authenticated user has access to a given resource.

Flask-Security is a very helpful extensions that integrates several other Flask extensions and Python libraries:
– Flask-Login;
– Flask-Mail;
– Flask-Principal;
– Flask-Script;
– Flask-WTF;
– itsdangerous;
– passlib;

and provides out-of-the-box support for Flask-SQLAlchemy.

Note: I am using an older version of Flask-Login – 0.2.11, in order to workaround a breaking change in the extension’s API, that breaks the integration with the other security related Flask extensions.

Flask-Security uses internally a User and Role data model, that could be defined via the SQL Alchemy API.


The User class derives from the UserMixin Flask-Login default user implementation and same goes for the Role class – RoleMixin. You could add any aditional information to both User and Role classes if you need to.

Note: I have modified the seed.py module to seed the database with test users and roles data.

I am using SQL Alchemy for managing both User and Role objects. I have added the following configuration related to using Flask-Login with SQL Alchemy:


The complete Flask-Security configurations with their explanations can be found here.

To be compliant with the layout, I have implemented custom login and registration forms:

– templates/security/login_user.html;
– templates/security/register_user.html;

It is common to be able to access the current user in your Flask application within the Jinja templates and introduce some logic based on that data. In order to achieve that goal you could use context processors:


and you could access the user in your templates: bookshelf/templates/layout.htm

As I mentioned earlier: authorization is a process verifies whether the authenticated user has access to a given resource. Flask-Security allows developers to restrict access to a given page by specifying that a user should be either logged in or have given role(s) assigned, by decorating the view function with @login_required, @roles_required:

The complete demo application, described in this blog post, can be found here.

In the next blog post I will describe how to optimize your Flask application.

  • Mostafa Hussein

    Is there a way to make User registration only by admins ?, i have found a question on SOF which suggests to limit the views for admins only i guess by using jinja. is there a better way ?

    #1 on that answer http://stackoverflow.com/a/31228170/2336650

  • damyanbogoev

    The approach suggested in the SO thread is applicable in the setup, you want to achieve. You could also use the Flask-Admin extension (https://github.com/flask-admin/flask-admin) to handle users.