Reputation: 2217
Flask - are my endpoints visible to users
For security reasons, I want to know whether all of my endpoint addresses can be accessed by anyone with access to the (home) address and port numbers?
Upvotes: 1
Views: 160
Answers (1)
Reputation: 14516
Assuming you are running your application on a server or PC that can be accessed from the internet, and the port it is running on is opened - as opposed to running locally on your local network/PC - then yes, any client that knows (or guesses) your IP and the port on which the application is running can attempt to access any endpoint in your application.
Note that although the client will not have a full list of endpoints that can be accessed, a common attack vector is to repeatedly attempt to guess endpoints - for example /admin or /debug. Due to automation, it is practically guaranteed that if your server running the flask application is open to the internet, requests will be made to try to access endpoints by third-parties.
Due to this, it is essential to lock down any sensitive information behind security, be that IP white-listing, or by login mechanisms such as those provided by the flask-login module.
Upvotes: 1
Related Questions
- Securing a flask app (python)
- How can I protect some endpoints from user accessing it directly in django?
- How to secure a REST Api on flask
- How to forbid non-browser requests (user agents) to a POST endpoint in flask app?
- Python/Flask: only one user can call a endpoint at one time
- RESTful Access of Flask Endpoint
- Using flask-security as a part of an REST API
- Using Flask-Security as part of a REST API
- How do I make sure a flask app has been authorized on all routes?
- What is the best way to protect a flask endpoint?