Is there anyway to improve my flask website security?

Question

I am currently building a website for production use. However, I do have some security concern's about it. Any advice or suggestion will be greatly appreciated!

Here is what I did so far:

1. My web-app is Python Flask based.
2. Heroku is my host (which supports https).
3. AWS RDS is my backend database.
4. Because Heroku uses dynamic IP, I have to open IP restrictions for AWS RDS. However, I have enforced SSL connections for the database.
5. In my code, all the sensitive parameters are stored as config variables. I call them using os.environ()
6. Moreover, all HTTP requests have to provide a token which I provide to the customers.

The following code shows what I did for Token authentication. But I believe there's a better way to achieve it.

if request.method == 'POST':
    token = request.headers['Authorization']
    token_key = 'Token token="%s"' %(user_token)
    if token != token_key:
        abort(400)
        print('authentication failed!',request.json)
    else:

Again, I really appreciate if anyone can give me any advice, or provide me a brief risk assessment about the method I use to build the app.

Answer 1

Security problems are usually about specific details of implementation, not about the platform you use to deploy your app. Heroku is fine, but your app might be not.

First of all, have you considered using Heruku's Postgres DBs? Opening your DB to the internet is definitely not a good thing.

The other thing is your token validation. It's not clear where do you get these user_tokens from, but I bet you store them in a DB "as is", which is not ideal also. You might wanna consider storing hashes, and compare hashes on request.

Last thing - if you have an SSH access to your server, it's a good practice to whitelist your own IP to access it, and block all others.

These are just common pratices and wont guarantee security of your app. Only a good audit will.