0

I'm thinking about running a very simple Flask server locally (using the default development server) and then opening it up to the web via http://localhost.run/. I intend for this to be a personal webhook server and nothing else.

I've seen related questions before (for example, Is the server bundled with Flask safe to use in production?, etc), but:

  1. I don't care that it won't scale well
  2. I don't expect to get more than one request at a time
  3. I will not be using the debugging mode

My question is this: How safe will my computer and local network be if I do this? I will probably limit requests to POST requests and check to see that they have a special key, or something like that, and the only thing I'm going to be doing with the webhooks is displaying a notification.

Zeke
  • 617
  • 1
  • 6
  • 15
  • I ran a flask project from a raspi using the built in development server. Opening up some ports on my local network and so on. Been running it for 2 years, without any known safety issues that I have seen. But yeah, its still risky.. I am doing it knowing it is risky. Anyone with any knowledge can probably get into my network – Akib Rhast May 28 '20 at 21:19

1 Answers1

1

Short of someone from the Pallets Project speaking up, the official word on the recommendation is

https://flask.palletsprojects.com/en/1.1.x/tutorial/deploy/#run-with-a-production-server

If you have enough access to a server to permit running something that'll listen to a socket, the step of adding a WSGI server isn't a big one. The link above recommends waitress (and provides instructions), but gunicorn and uwsgi will work, too.

Adding my opinion:

Parsing HTTP and dealing with edge-cases is hard, so why should Flask/Werkzeug spend effort dealing with edge cases when there are WSGI front-ends that already take on the responsibility? In their position (which I'm not), I'd punt scaling and security to WSGI servers, and focus on making an excellent framework.

Dave W. Smith
  • 24,318
  • 4
  • 40
  • 46