flask-securitylisted

# Flask Security Audit Audit Flask applications. Flask is less opinionated than Django, so security depends heavily on developer choices. ## When this skill applies - Reviewing Flask app structure, routes, blueprints - Auditing Jinja2 templates for XSS - Reviewing Flask-Login / Flask-WTF / Flask-SQLAlchemy setup - Checking app.config for secret handling ## Workflow Follow `../_shared/audit-workflow.md`. ### Phase 1: Stack detection ```bash grep -E '^[Ff]lask|"flask"' requirements.txt pyproject.toml 2>/dev/null python -c "import flask; print(flask.__version__)" 2>/dev/null ``` ### Phase 2: Inventory ```bash # App factory pattern grep -rn 'def create_app\|Flask(__name__)' . --include='*.py' 2>/dev/null # Routes grep -rn '@app.route\|@.*\.route\|@bp\.' . --include='*.py' 2>/dev/null | head -50 # Templates grep -rn 'render_template\|render_template_string' . --include='*.py' 2>/dev/null # Jinja safe filter / autoescape grep -rn '|safe\|autoescape\|Markup(' . --include='*.py' --include='*.html' 2>/dev/null # Extensions grep -nE 'flask-login|flask-wtf|flask-sqlalchemy|flask-restful|flask-admin|flask-cors' requirements.txt pyproject.toml 2>/dev/null ``` ### Phase 3: Detection — the checks #### App configuration - **FLK-CFG-1** `SECRET_KEY` from env, not hardcoded. Generate with `secrets.token_urlsafe(64)`. - **FLK-CFG-2** Different config classes for dev/prod, `DEBUG=False` in prod. - **FLK-CFG-3** `SESSION_COOKIE_SECURE=True`, `SESSION_COOKIE_HTTPONLY=True`, `SESSIO