Adds security functions to Flask applications for preventing some of the basic threats.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.


What is Flask-Mitten?

Adds security functions to Flask applications for preventing some of the basic threats.


Flask-Mitten supports Flask applications to prevent following threats.

  • Clickjacking
  • CSRF
  • Information disclosure through banner grabbing
  • JSON hijacking
  • Session fixation

It bundles functions of following Flask extensions.

More details, see the implementation.



Install the extension with the following commands:

pip install Flask-Mitten


Apply the extention to your app:

from flaskext.mitten import Mitten
app = Flask(__name__)
mitten = Mitten(app)

Request headers are overridden to prevent clickjacking and information disclosure.

If you want to set your own banner, you can do it:

mitten.banner = "My Nice Banner!"

Preventing Session Fixation

After login, call a regenerate method of session object:


The session ID is regenerated, and it prevents session fixation.

To discard a session, call a destroy method:


Preventing CSRF

To embed CSRF token, add following line to your template:

<input type="hidden" name="_csrf_token" value="{{ csrf_token() }}" />

A POST request is protected against CSRF automatically.

If you want to exclude a route from CSRF protection, use a csrf_exempt decorator:

@app.route('/public_api/', methods=['POST'])
def public_api():
    return "result", 200

Preventing JSON Hijacking

If you send a JSON response, you could use a json decorator to avoid JSON hijacking or rendering JSON responses by direct browsing:

def json_api():
    return jsonify(result='success')


For more details, see an example app.