-1

I am creating a normal HTTP server via flask in python. This program is supposed to run on a normal computer. This web server would then be accessed by a mobile app and some critical data would be exchanged.

The question is now, how to make the connection secure. Piece of code:

from flask import Flask, request

app = Flask(__name__)

@app.route('/', methods=['GET'])
def result():
    some_critical_data = request.form['data']
    return 'Some other critical data'


if __name__ == '__main__':
    app.run(host='0.0.0.0', port='8071', debug=True)
Butzlabben
  • 193
  • 1
  • 1
  • 10
  • Try this link you can make it secure using nginx via ssl : https://blog.miguelgrinberg.com/post/running-your-flask-application-over-https – Ghassen Jun 30 '19 at 12:06
  • Making it *secure* is a complex process with many steps. Perhaps you just meant to ask how to make it use TLS. – Jean-Paul Calderone Jun 30 '19 at 19:48

1 Answers1

1

OpenSSL is cool: 

from flask import Flask, jsonify

from OpenSSL import SSL
context = SSL.Context(SSL. SSL.SSLv23_METHOD)
context.use_privatekey_file('server.key')
context.use_certificate_file('server.crt')

from flask import Flask, request

app = Flask(__name__)

@app.route('/', methods=['GET'])
def result():
    some_critical_data = request.form['data']
    return 'Some other critical data'


if __name__ == '__main__':  
     app.run(host='0.0.0.0', port='8071', debug=True, ssl_context=context)
sashaboulouds
  • 1,566
  • 11
  • 16
  • Well, how do I create this key and cert? What would stop a man in the middle to pass another public key to the client, receive and decrypt the message from the client, encrypt it again with the public key from the server and send this to the server? – Butzlabben Jun 30 '19 at 12:11
  • Try follow this link to create X509 certificate : https://stackoverflow.com/questions/27164354/create-a-self-signed-x509-certificate-in-python – sashaboulouds Jun 30 '19 at 12:17
  • Well, using your solution throws following error `AttributeError: module 'OpenSSL.SSL' has no attribute 'PROTOCOL_TLSv1_2'` – Butzlabben Jun 30 '19 at 12:42
  • Try this: `SSL.SSLv23_METHOD` – sashaboulouds Jun 30 '19 at 12:49
  • You generate the private key yourself and get the (signed) public key from a certificate authority. A man in the middle wouldn't be able to proof control over your domain and thus not get a certificate from a CA. You can get certificates for free from https://letsencrypt.org/. – Peter Jun 30 '19 at 13:54
  • Well, the server runs on a normal desktop computer without a domain. – Butzlabben Jun 30 '19 at 17:18