Skip to content
unfault

python.flask.secret_key

Security Critical

Detects Flask apps with hardcoded or weak secret keys.

Why It Matters

Section titled “Why It Matters”

Weak secret keys:

  • Session forgery — Attackers can create valid sessions
  • CSRF bypass — Tokens become predictable
  • Complete compromise — All users affected

Example

Section titled “Example”
# ❌ Before (hardcoded key)
app = Flask(__name__)
app.secret_key = 'development-key'
# ✅ After (secure key from environment)
import os
import secrets


app = Flask(__name__)
app.secret_key = os.environ.get('FLASK_SECRET_KEY') or secrets.token_hex(32)

What Unfault Detects

Section titled “What Unfault Detects”
  • Hardcoded secret_key values
  • Short or weak keys
  • Default development keys
Section titled “Related Rules”