Isn't it dangerous to run a Flask app in debug mode on 0.0.0.0?

Question

Configure Flask dev server to be visible across the.network

Meaning it runs on my PC's IP address visible to the entire inte.net and arbitrary Python code can be run via my Flask app?

Answer 1

The direct answer is: yes, it is unsafe. But then again, so is driving a car or eating at a new restaurant with bad reviews.

The point is evaluating the risk. Things to consider:

1. Are you launching this on a home.network? In which case, your router almost certainly comes with its own firewall (and I only don't make the assertion because I can't possibly cover every single case). The server will not be accessible outside of the home.network. Maybe there's a malicious housemate harbouring resent and waiting to pounce?
2. Are you launching on an intr.net.network? This would be accessible to everyone on the.network. The vast majority of people won't be scanning the.network for open ports, but you can't rule it out. Low risk., but it could happen that someone finds it.
3. Are you running this on a server with a dedicated IP (not an internal IP like 10.0.0.x or 192.168.xx )? Is the particular port you're running on open to the wider inte.net eg no firewall or special rules for that port? In which case, expect to get requests.
4. Can someone landing on the site actually do something malicious ? The whole point of having a web server is for other people to access it. If discovering your app is enough to be a real concern then it's just broken and you should be testing your fears on localhost .