Skip to content

Can a website’s controlling Python code be viewed?

I am trying to place a simple Flask app within a Docker container to be hosted on Firebase as per David East’s article on

Within the app, I have used Flask email to send emails automatically. Is it safe to leave the password as a string in the Python code?



It’s extremely unsafe. The password shouldn’t be in the code at all. Rotate the password immediately if you’re concerned it might be compromised.

There are two important details about Docker that matter here. The first is that it’s very easy to get content out of an image, especially if it’s in an interpreted language like Python; an interested party can almost certainly docker run --rm -it --entrypoint sh your-image to get an interactive shell to poke around, and it’s impossible to prevent this. The other is that it’s basically trivial to use Docker to root the host – docker run --rm -it -v /:/host busybox sh can read and write any host file as root, including the internal Docker storage – and so there is a fairly high level of trust involved.

Including passwords in code at all is usually a mistake, and it’s something most security scans will flag. If it’s included in your code then it’s probably checked into source control unencrypted, which also is a security issue. It being embedded in the code also probably makes it harder to change since the system operator won’t have access to the code.

In a Docker context, often the best way to pass a credential is through a docker run -e environment variable; your Python code would see it in the os.environ dictionary. Passing it via a file that is not checked in to source control is arguably more secure, but also more complex, and I don’t think the security gain is significant.

5 People found this is helpful