Resource exhaustion is a low-effort, high-impact vector. In Flask, failing to enforce rate limits allows attackers to flood endpoints, saturating the GIL, exhausting database connection pools, or spiking cloud costs via compute-heavy routes. A 'hacker-proof' app treats every request as a potential DoS attempt and throttles accordingly.

The Vulnerable Pattern

from flask import Flask, request
app = Flask(name)
@app.route(‘/api/v1/heavy-query’)
def search():
# VULNERABLE: No throttling.
# An attacker can script 10,000 requests/sec to crash the worker.
query = request.args.get(‘q’)
return {‘status’: ‘success’, ‘data’: f’Results for {query}’}

The Secure Implementation

The secure implementation uses `Flask-Limiter` to wrap routes with a decorator that tracks the caller's IP address. By setting a specific threshold (e.g., 5 per minute), the application rejects excessive traffic before it executes expensive logic. For production environments, the `storage_uri` must be pointed to a centralized store like Redis or Memcached so that limits are synchronized across multiple WSGI worker processes (Gunicorn/uWSGI), preventing an attacker from bypassing limits by hitting different process PIDs.

from flask import Flask
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address
app = Flask(name)
Initialize Limiter with Redis storage for production scalability
limiter = Limiter(
key_func=get_remote_address,
app=app,
default_limits=[“200 per day”, “50 per hour”],
storage_uri=“memory://”  # Use redis://localhost:6379 in production
)
@app.route(‘/api/v1/heavy-query’)
@limiter.limit(“5 per minute”)
def search():
# SECURE: Throttles at the application layer.
# Returns HTTP 429 if the limit is exceeded.
return {‘status’: ‘success’, ‘data’: ‘Limited results’}