Python Hardcoded Flask Secret Key
Description
Detects when a Flask application's secret key is set to a hardcoded string value. The secret key is used for session security and should be a secure random value stored outside the code. A hardcoded secret key makes sessions predictable and vulnerable to tampering.
Detection Strategy
• Check if Flask is imported and accessible in the code
• Look for assignments to the 'secret_key' configuration attribute of a Flask application instance
• Verify if the assigned value is a hardcoded string literal
• Report a vulnerability if a Flask app's secret key is set directly to a string constant
Vulnerable code example
from flask import Flask
app = Flask(__name__)
# Hardcoded secret key directly in code - security risk
app.secret_key = "my_super_secret_key_12345" # Vulnerable: Secret key exposed in source code
# Using a constant still exposes the secret...✅ Secure code example
import os
from flask import Flask
app = Flask(__name__)
# Load secret key from environment variable
app.secret_key = os.environ.get('FLASK_SECRET_KEY') # Safe: Secret loaded from environment
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.