How safe is my Flask REST API?

Question

My website is on http protocol. My flask API is secured via flask-httpauth ( https://github.com/miguelgrinberg/Flask-HTTPAuth ).

There is a Tornado web server in front of my Flask API which listens on a private port 5000. Client API requests first go to Tornado server which then calls the Flask API

This is the flow I've got going:

My website (on http) ---> corpauthentication (on https) --> back to my website (http) --> client calls Tornado server --> Tornado calls Flask API and returns results

How safe is my API and website? I was reading this link Security of python flask REST API using HTTP Basic Authentication and it seems to me that the API is secure but I can never be sure.

If its not safe, what else do you think I can do to make it more secure? Since corpauthentication is required to get in, I feel on the UI side it is pretty safe. But lets say someone is listening on my port 80, will they be able to track any API requests made even when there is tornado + httpbasic auth in place?

This is my Tornado Server code:

from tornado.wsgi import WSGIContainer
from tornado.ioloop import IOLoop
from tornado.web import FallbackHandler, RequestHandler, Application
from flaskfile import app

class MainHandler(RequestHandler):
  def get(self):
    self.write("This message comes from Tornado ^_^")

tr = WSGIContainer(app)

application = Application([
(r"/tornado", MainHandler),
(r".*", FallbackHandler, dict(fallback=tr)),
])

if __name__ == "__main__":
  application.listen(5000)
  IOLoop.instance().start()

This is how I'm calling the API from my Javascript:

$.ajax({
            url: 'http://x.x.x:5000/data',
            type: 'GET',
            dataType: 'json',
            async: false,

            headers: {
                "Authorization": "Basic " + btoa("username" + ":" + "password")
            },

            data: {start: startdate, end: enddate},
            success: function(result) {
                data = result.results;
            }
         });

Answer 1

No, this is not secure - the comments in the other question you linked to are entirely correct. (BTW your question is really a duplicate of that).

Authentication over regular unencrypted HTTP is never secure - the username and password will be visible to any device between the user and the webserver, in plain text. As a first step you should implement SSL/TLS to encrypt the authentication information.

Tornado really needs to sit behind a web proxy of some sort. You could use either Apache or Nginx to fulfil this role. There are instructions for setting up Tornado+Nginx in this related question .