This extension provides a way to restrict access to your Flask application based on the incoming request's hostname or IP address or IP address range (network).
- Per-route configuration options.
- Customize denied access behavior.
- Two usage options: class-based or decorator-based.
- Restrict access by hostname, IP address or IP address range (network).
Install the package using pip:
pip install flask-allowed-hosts- Initialize the
AllowedHostsclass. - Define allowed hosts (optional).
- Define a function for denied access behavior (optional).
- Apply access control to routes using
@allowed_hosts.limit()decorator (optional).
from flask import Flask, jsonify, abort
from flask_allowed_hosts import AllowedHosts
app = Flask(__name__)
ALLOWED_HOSTS = ["93.184.215.14", "api.example.com"]
def custom_on_denied():
error = {"error": "Oops! Looks like you are not allowed to access this page!"}
return jsonify(error), 403
allowed_hosts = AllowedHosts(app, allowed_hosts=ALLOWED_HOSTS, on_denied=custom_on_denied)
# Allows all incoming requests
@app.route("/api/public", methods=["GET"])
def public_endpoint():
data = {"message": "This is public!"}
return jsonify(data), 200
# Only allows incoming requests from "93.184.215.14" and "api.example.com"
@app.route("/api/private", methods=["GET"])
@allowed_hosts.limit()
def private_endpoint():
data = {"message": "This is private!"}
return jsonify(data), 200
# We can override the allowed_hosts list and the on_denied function for each route
@app.route("/api/private/secret", methods=["GET"])
@allowed_hosts.limit(allowed_hosts=["127.0.0.1"], on_denied=lambda: abort(404))
def secret_private_endpoint():
data = {"message": "This is very private!"}
return jsonify(data), 200
if __name__ == '__main__':
app.run(host='0.0.0.0', port=5000, debug=True)Warning: This approach might cause unexpected behavior when combined with the class-based usage.
- Define allowed hosts (optional).
- Define a function for denied access behavior (optional).
- Apply access control to routes using
@limit_hostsdecorator.
from flask import Flask, jsonify
from flask_allowed_hosts import limit_hosts
app = Flask(__name__)
ALLOWED_HOSTS = ["93.184.215.14", "api.example.com"]
def custom_on_denied():
error = {"error": "Custom Denied Response"}
return jsonify(error), 403
# Allows all incoming requests
@app.route("/api/public", methods=["GET"])
def public_endpoint():
data = {"message": "This is public!"}
return jsonify(data), 200
# Only allows incoming requests from "93.184.215.14" and "api.example.com"
@app.route("/api/private", methods=["GET"])
@limit_hosts(allowed_hosts=ALLOWED_HOSTS, on_denied=custom_on_denied)
def private_endpoint():
return jsonify({"message": "This is private!"}), 200You can find more examples in the examples directory.
app: The Flask application instance (optional).allowed_hosts: List of allowed hosts (optional, defaults toNonewhich allows all hosts).on_denied: Function for denied access behavior (optional).
The extension respects these configurations:
ALLOWED_HOSTS: List of allowed hosts in Flask config.ALLOWED_HOSTS_ON_DENIED: Function for denied access behavior in Flask config.
Precedence: Values provided during initialization override Flask config values.
You can enable debug mode by setting the ALLOWED_HOSTS_DEBUG environment variable to True:
export ALLOWED_HOSTS_DEBUG="True"This will print helpful debug messages to the console.
Contributions are welcome! Please feel free to submit a Pull Request.
If you have any questions or feedback, please feel free to open an issue or a pull request.
This project is licensed under the [MIT] License - see the LICENSE.md file for details.