Derived from the flake8-bandit linter.
This rule is unstable and in preview. The
--preview flag is required for use.
What it does#
Checks for uses of
debug=True in Flask.
Why is this bad?#
Enabling debug mode shows an interactive debugger in the browser if an error occurs, and allows running arbitrary Python code from the browser. This could leak sensitive information, or allow an attacker to run arbitrary code.