Flask (via Werkzeug) provides debugging functionalities via the browser when an exception is raised. Even though a PIN can be provided so that only developers are able to access this feature, it should never be enabled in a production environment. When debug mode is enabled, the full stack traces are displayed. An interactive Python shell is also provided, by default this is protected by a PIN. If the PIN is disabled or easily guessable, the shell can be used to compromise the system.
The debugger mode can be enabled with the
FLASK_DEBUG=1 environment variable, while the PIN can be disabled with
WERKZEUG_DEBUG_PIN=off or set to a predictable value.
Never ship debugging features in production environments.