I’m new to Flask and I’m working with my team to build a website with a few different business needs. I am trying to figure out how to develop an authentication system in Flask that uses proper standards. Right now I am using Flask, Flask Login and WTF Forms under HTTP. I haven’t implemented HTTPS yet, but I do have an authentication system that hashes on the server side using argon2.
I am wondering – I’m not sure if I’m making my authentication system as secure as possible. As far as I know, I’m not storing clear-text passwords, I’m using a secret key that appends to the session ID (I think, it’s set by env[“SECRET_KEY”] but I don’t do anything with it) and is distributed as a cookie. The cookie contains session information. Right now I do not have CSRF tokens with each form but plan to do so.
I opened the inspector and I can see plain-text information. Even though we’re not serving over HTTPS yet, and there’s no CSRF token (does this change the content of the form anyway?), I’m still wondering if this should ever be visible. I don’t see form data like this for example when I login to Gmail:
In Chrome DevTools
Is the reason I can see plaintext information in the request because I don’t hash on the client-side first? Should I hash + salt on the client-side and then hash on the server side as well?
Thanks a bunch.