Fix Security Misconfiguration in Bottle
Bottle is a lightweight WSGI micro-framework, but its simplicity is a double-edged sword. Out-of-the-box defaults prioritize developer convenience over hardened security. Failing to disable debug mode or running the built-in wsgiref server in production exposes sensitive stack traces and leaves the application vulnerable to basic DoS and information disclosure. Hardening Bottle requires shifting from a 'development' mindset to a 'production-ready' configuration.
The Vulnerable Pattern
from bottle import route, run, debug@route(‘/crash’) def crash(): raise Exception(‘Sensitive Database credentials leaked here’)
CRITICAL: Debug mode enabled leaks stack traces to the client
debug(True)
CRITICAL: Binding to 0.0.0.0 exposes the app to the entire public internet
CRITICAL: Using the default wsgiref server which is not for production
run(host=‘0.0.0.0’, port=8080)
The Secure Implementation
1. Disable Debug Mode: The `debug(True)` call forces Bottle to output full Python tracebacks to the browser on 500 errors. This is an Information Disclosure vulnerability. 2. Production Server: Bottle's default `wsgiref` server is single-threaded and lacks basic protection against slow-loris attacks or high concurrency. Use 'gunicorn' or 'uwsgi'. 3. Interface Binding: Never bind to '0.0.0.0' unless you are inside a container with controlled networking; bind to '127.0.0.1' to ensure the app is only reachable via a local reverse proxy. 4. Header Hardening: Bottle's default 'Server' header identifies the framework version. Use hooks to strip this and add security headers like X-Frame-Options.
import os from bottle import route, run, default_app, response@route(‘/crash’) def crash(): return “An internal error occurred.”
app = default_app()
Set security headers via hook
@app.hook(‘after_request’) def enable_cors(): response.headers[‘Server’] = ‘Hidden’ response.headers[‘X-Content-Type-Options’] = ‘nosniff’ response.headers[‘X-Frame-Options’] = ‘DENY’
if name == “main”: # 1. Disable debug mode # 2. Bind to localhost (let Nginx/Caddy proxy traffic) # 3. Use a production-grade server like Gunicorn or Waitress run(host=‘127.0.0.1’, port=8080, debug=False, server=‘gunicorn’, workers=4)
Your Bottle API
might be exposed to Security Misconfiguration
74% of Bottle apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.