Hi Pythonistas,
We’ve expanded our support for Flask to help you build more robust, secure, and standard-compliant Python web applications.
Security
These rules reduce your attack surface by preventing accidental public exposure. They also harden your application against crashes by enforcing safe header lookups, preventing unhandled exceptions when expected client data is missing.
-
S8392: Web servers should not bind to all network interfaces
-
S8370: Query parameters should not be used in Flask POST requests
-
S8371: HTTP headers should be accessed safely to avoid KeyError exceptions
Bug Prevention & Reliability
-
S8385: “send_file” should specify “mimetype” or “download_filename” when used with file-like objects
-
S8375: Flask “preprocess_request()” return values should be handled
-
S8374: Flask class-based view decorators should be applied using the “decorators” attribute
These rules catch “silent” logic errors, such as ignoring return values that are meant to short-circuit a request or ensuring reliable file delivery preventing incorrect handling or misidentifying file downloads.
Code Quality & Documentation
These rules promote clear, self-documenting code and standard-compliant responses.
-
S6965: REST API actions should be annotated with an HTTP verb attribute
-
S6863: Flask error handlers should set HTTP status code
We have also extended a Django rule S6552 to support Flask too:
- S6552: The ‘@receiverreceiverreceiverreceiver’ (Django) and ‘@route’ (Flask) decorators should be the outermost decorators
We hope you enjoy these updates and welcome your feedback. You can find them on:
SonarQube Cloud - now
SonarQube Server - from 2026.2
SonarQube Community Build - from 26.3.x
SonarQube IDE - your next plugin update
See what’s coming up for Python in SonarQube-IDE, SonarQube Server and SonarQube Cloud. We hope you enjoy these updates.
Jean