owasp-flask

python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host

returntocorp

Running flask app with host 0.0.0.0 could expose the server publicly.

python.flask.security.audit.secure-set-cookie.secure-set-cookie

returntocorp

Found a Flask cookie without secure, httponly, or samesite correctly set. Flask cookies should be handled securely by setting secure=True, httponly=True, and samesite='Lax' in response.set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the 'secure=True', 'httponly=True', samesite='Lax' arguments or set these to be true in the Flask configuration.