A production-ready Flask application with comprehensive security features, built using bcrypt authentication, Flask-WTF forms, SQLAlchemy ORM, and Preline CSS for modern UI design.
- Password Hashing: Bcrypt password hashing with configurable cost factor (12 rounds)
- CSRF Protection: Automatic CSRF token generation and validation on all forms
- Rate Limiting: Built-in rate limiting to prevent brute-force attacks
- Account Lockout: Automatic account lockout after 5 failed login attempts (30 minutes)
- Session Security: Secure session management with httpOnly and SameSite cookies
- Security Headers: Flask-Talisman for HTTPS enforcement, CSP, HSTS, and X-Frame-Options
- API Key Authentication: Secure API key generation and management
- Password Requirements: Strong password validation (8+ chars, uppercase, lowercase, digit, special char)
- Environment-based Config: Separate configurations for development, testing, and production
- User registration and authentication
- User profile management
- Password change functionality
- RESTful API with authentication
- Admin user management
- Responsive UI with Preline CSS (Tailwind)
- Dark mode support
- API documentation
- Flask 3.1+: Modern Python web framework
- SQLAlchemy 2.0+: Python SQL toolkit and ORM
- Flask-Bcrypt: Password hashing with bcrypt
- Flask-WTF: Form validation and CSRF protection
- Flask-Login: User session management
- Flask-Limiter: Rate limiting for API endpoints
- Flask-Talisman: Security headers and HTTPS enforcement
- Preline CSS: Modern Tailwind CSS component library
- Python 3.8 or higher
- pip (Python package installer)
- Virtual environment (recommended)
-
Clone or download the repository
cd flask-app -
Create and activate virtual environment
python3 -m venv venv source venv/bin/activate # On Windows: venv\Scripts\activate
-
Install dependencies
pip install -r requirements.txt
-
Set up environment variables
cp .env.example .env
Edit
.envand update the following:SECRET_KEY: Generate a secure secret keypython -c 'import secrets; print(secrets.token_hex(32))'DATABASE_URL: Database connection string (default: SQLite)ADMIN_EMAIL: Initial admin user emailADMIN_PASSWORD: Initial admin user password (change after first login!)
-
Initialize the database The database will be created automatically on first run with a default admin user.
-
Run the application
python run.py
The application will be available at
http://127.0.0.1:5000
Create a .env file in the root directory:
FLASK_ENV=development
SECRET_KEY=your-secret-key-here
DATABASE_URL=sqlite:///instance/app.db
ADMIN_EMAIL=admin@example.com
ADMIN_PASSWORD=changeme123- Development: Debug enabled, HTTP allowed, relaxed security
- Production: Debug disabled, HTTPS enforced, strict security
- Testing: In-memory database, CSRF disabled for testing
On first run, a default admin account is created:
- Username:
admin - Email: From
ADMIN_EMAILin.env(default: admin@example.com) - Password: From
ADMIN_PASSWORDin.env(default: changeme123)
Important: Change the admin password immediately after first login!
- Homepage:
http://127.0.0.1:5000/ - Register:
http://127.0.0.1:5000/auth/register - Login:
http://127.0.0.1:5000/auth/login - Dashboard:
http://127.0.0.1:5000/dashboard(requires login) - Profile:
http://127.0.0.1:5000/auth/profile(requires login)
-
POST /api/auth/login- Login and get API key{ "username": "your_username", "password": "your_password" } -
GET /api/auth/me- Get current user info (requires API key)
GET /api/keys- List your API keys (requires login)POST /api/keys- Create new API key (requires login)DELETE /api/keys/<id>- Revoke API key (requires login)
GET /api/users- List all usersGET /api/users/<id>- Get user by IDPUT /api/users/<id>- Update userDELETE /api/users/<id>- Delete user
Include your API key in the request headers:
curl -H "X-API-Key: your-api-key-here" http://127.0.0.1:5000/api/auth/me- Default: 200 requests per day, 50 per hour
- Registration: 5 per hour
- Login: 10 per minute
- Password Change: 5 per hour
- Never commit
.envfile orinstance/directory - Use strong, unique secret keys
- Change default admin credentials immediately
- Keep dependencies updated
- Set
FLASK_ENV=production - Use environment variables for all sensitive data
- Use HTTPS (Talisman enforces this)
- Use a production database (PostgreSQL, MySQL)
- Set up proper logging and monitoring
- Use a production WSGI server (Gunicorn, uWSGI)
- Implement backup strategies
- Review and customize security headers
pip install gunicorn
gunicorn -w 4 -b 0.0.0.0:8000 'app:create_app("production")'flask-app/
├── app/
│ ├── __init__.py # Application factory
│ ├── models.py # Database models
│ ├── forms.py # WTForms forms
│ ├── routes/
│ │ ├── __init__.py
│ │ ├── auth.py # Authentication routes
│ │ ├── api.py # API routes
│ │ └── main.py # Main routes
│ ├── static/
│ │ └── css/
│ └── templates/ # Jinja2 templates
│ ├── base.html
│ ├── auth/
│ ├── errors/
│ └── ...
├── instance/ # Instance folder (not in git)
│ └── app.db # SQLite database
├── config.py # Configuration classes
├── run.py # Application entry point
├── requirements.txt # Python dependencies
├── .env # Environment variables (not in git)
├── .env.example # Example environment file
├── .gitignore # Git ignore rules
└── README.md # This file
To run the application in testing mode:
from app import create_app
app = create_app('testing')- Follow PEP 8 style guide
- Add tests for new features
- Update documentation
- Ensure all security features remain intact
If you discover a security vulnerability, please email the maintainer directly rather than using the issue tracker.
MIT License - feel free to use this for your projects!
For issues and questions:
- Check the documentation
- Review the code comments
- Open an issue on the repository
- Flask team for the amazing framework
- Preline for the beautiful UI components
- All the Flask extension authors
Built with security in mind Version 1.0.0