Skip to content

security: remove hardcoded Flask secret key and load from environment (fixes #362) #414

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pradeeban merged 1 commit into from
Feb 19, 2026
Merged

security: remove hardcoded Flask secret key and load from environment (fixes #362) #414

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,16 @@ _concore_ supports customization through configuration files in the `CONCOREPATH

Tool paths can also be set via environment variables (e.g., `CONCORE_CPPEXE=/usr/bin/g++`). Priority: config file > env var > defaults.

### Security Configuration

Set a secure secret key for the Flask server before running in production:

```bash
export FLASK_SECRET_KEY=$(python -c "import secrets; print(secrets.token_hex(32))")
```

Do **NOT** commit your secret key to version control. If `FLASK_SECRET_KEY` is not set, a temporary random key will be generated automatically (suitable for local development only).

For a detailed and more scientific documentation, please read our extensive [open-access research paper on CONTROL-CORE](https://doi.org/10.1109/ACCESS.2022.3161471). This paper has a complete discussion on the CONTROL-CORE architecture and deployment, together with the commands to execute the studies in different programming languages and programming environments (Ubuntu, Windows, MacOS, Docker, and distributed execution).


Expand Down
23 changes: 14 additions & 9 deletions fri/server/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
from werkzeug.utils import secure_filename
import xml.etree.ElementTree as ET
import os
import secrets
import subprocess
from subprocess import call,check_output
from pathlib import Path
Expand Down Expand Up @@ -86,15 +87,19 @@ def get_error_output(e):


app = Flask(__name__)
secret_key = os.environ.get("FLASK_SECRET_KEY")
if not secret_key:
# In production, require an explicit FLASK_SECRET_KEY to be set.
# For local development and tests, fall back to a per-process random key
# so that importing this module does not fail hard.
if os.environ.get("FLASK_ENV") == "production":
raise RuntimeError("FLASK_SECRET_KEY environment variable not set in production")
secret_key = os.urandom(32)
app.secret_key = secret_key
app.secret_key = os.getenv("FLASK_SECRET_KEY")

if not app.secret_key:
# In production, require an explicit secret key to avoid session issues
flask_env = os.getenv("FLASK_ENV", "").lower()
if flask_env in ("development", "dev") or app.debug:
# Generate temporary key for development environments where a secret key
# has not been explicitly configured.
app.secret_key = secrets.token_hex(32)
else:
raise RuntimeError(
"FLASK_SECRET_KEY environment variable must be set in production."
)

cors = CORS(app)
app.config['CORS_HEADERS'] = 'Content-Type'
Expand Down