Don't use the development server in production. Use a real application server (uwsgi, gunicorn, etc.) and web server (nginx, apache, etc.).

In fact, the thread you linked goes on to strongly say exactly that.

I've seen it in use several times in production. I agree completely that people shouldn't, but they do, so it's still a problem.

I don't speak for the devs, but I doubt you're going to get anywhere on this one with that sort of argument. The answer is that the problem is solved by not using the dev server in production.

Fair enough. I'm just pointing out what I found, if/when I get around to fixing it I'll submit a pull request.

Also look at Waitress. Big fan.

Flask's server can handle only one request at a time (unless multithreading or multiprocessing is enabled), so no attacks are necessary in multi-user usage to get it down to its knees. Maybe you could try it with those options enabled, but even then I don't really see it as a problem.

The attack remains effective on the multithreaded version, though it does take longer to work. I would suggest making it more explicit in the documentation that a) the server is vulnerable and b) that it shouldn't be used in production.

Yes, see mitsuhiko#1170 for that.