Foreword for Experienced Programmers
- Thread-Locals in Flask
- Develop for the Web with Caution

Foreword for Experienced Programmers

Thread-Locals in Flask

One of the design decisions in Flask was that simple tasks should be simple;they should not take a lot of code and yet they should not limit you. Becauseof that, Flask has a few design choices that some people might findsurprising or unorthodox. For example, Flask uses thread-local objectsinternally so that you don’t have to pass objects around fromfunction to function within a request in order to stay threadsafe.This approach is convenient, but requires a validrequest context for dependency injection or when attempting to reuse code whichuses a value pegged to the request. The Flask project is honest aboutthread-locals, does not hide them, and calls out in the code and documentationwhere they are used.

Develop for the Web with Caution

Always keep security in mind when building web applications.

If you write a web application, you are probably allowing users to registerand leave their data on your server. The users are entrusting you with data.And even if you are the only user that might leave data in your application,you still want that data to be stored securely.

Unfortunately, there are many ways the security of a web application can becompromised. Flask protects you against one of the most common securityproblems of modern web applications: cross-site scripting (XSS). Unless youdeliberately mark insecure HTML as secure, Flask and the underlying Jinja2template engine have you covered. But there are many more ways to causesecurity problems.

The documentation will warn you about aspects of web development that requireattention to security. Some of these security concerns are far more complexthan one might think, and we all sometimes underestimate the likelihood that avulnerability will be exploited - until a clever attacker figures out a way toexploit our applications. And don’t think that your application is notimportant enough to attract an attacker. Depending on the kind of attack,chances are that automated bots are probing for ways to fill your database withspam, links to malicious software, and the like.

Flask is no different from any other framework in that you the developer mustbuild with caution, watching for exploits when building to your requirements.