Skip to main content

Flip Insecure `Flask` Session Configurations


ImportanceReview GuidanceRequires Scanning Tool
MediumMerge After ReviewNo

Flask applications can configure sessions behavior at the application level. This codemod looks for Flask application configuration that set SESSION_COOKIE_HTTPONLY, SESSION_COOKIE_SECURE, or SESSION_COOKIE_SAMESITE to an insecure value and changes it to a secure one.

The changes from this codemod look like this:

  from flask import Flask
app = Flask(__name__)
- app.config['SESSION_COOKIE_HTTPONLY'] = False
- app.config.update(SESSION_COOKIE_SECURE=False)
+ app.config['SESSION_COOKIE_HTTPONLY'] = True
+ app.config.update(SESSION_COOKIE_SECURE=True)

If you have feedback on this codemod, please let us know!


Why is this codemod marked as Merge After Review?

Our change fixes explicitly insecure session configuration for a Flask application. However, there may be valid cases to use these insecure configurations, such as for testing or backward compatibility.

Codemod Settings