In order to support https in Python Flask, one has to specify the ssl_context option on the app.run() command.
It is documented as such:
ssl_context – an SSL context for the connection. Either an ssl.SSLContext, a tuple in the form (cert_file, pkey_file), the string 'adhoc' if the server should automatically create one, or None to disable SSL (which is the default).
Here are the enumerated options:
What is the difference between those options in these contexts:
Flask HTTPS is defined as a concept that allows developers to develop Flask applications and deploy them for production use through HTTPS, which are complaint to encrypted connections thus providing extra security.
You can use ngrok, a open source too that tunnels your http traffic. Bascially ngrok creates a public URL (both http and https) and then tunnels the traffic to whatever port your Flask process is running on. It will then open up a window in terminal giving you both an http and https url to access your web app.
Flask-OAuth is an extension to Flask that allows you to interact with remote OAuth enabled applications. Currently it only implements the consumer interface so you cannot expose your own API with OAuth. Flak-OAuth depends on the python-oauth2 module.
3. Security
is the only one that matters, and the answer is "never use the Werkzeug/Flask dev server in production." The ssl_context
option is there for convenience during testing, but a production application should use real application and web servers such as uWSGI along with Nginx, configuring Nginx appropriately to present a real TLS certificate.
With first two options, you provide a certificate of your own, that might (should) be either signed by a recognized authority or by your client if you manage them (this happens either if your application is deployed in a context where you can install your certificate on each computer or if your client is not a web browser but your application and you can ship the certificate with it).
This will show the user he is communicating with the real server, not with someone trying to eavesdrop the traffic.
The third option will create a self-signed certificate, offering no guarantee to the user on that matter.
In terms of user experience, using a self-signed certificate when the client is a Web browser will raise a worrying message about the certificate validity, and saying something like "serious web sites would not ask you to blindly accept an unknown certificate".
To sum-up, you have three options (your options 1 & 2 are the same in the end):
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With