Deploying Web2py App Securely

I am ready to deploy my Web2py application. I have named my app 'init' to set it as the default app. Currently, if someone were to enter, they would receive an "Admin is disabled because insecure channel" message. If they entered that URL with https, they would arrive at my Web2py Administrative Interface login page.

Is this considered insecure? To my understanding, the admin page is still inaccessible without the password. However, I'm not well versed in security, and have read in the Web2py book that the admin and appadmin should be disabled altogether--link here Web2py Deployment under Securing Sessions and Admin.

To all others who have deployed Web2py apps on Pythonanywhere, were there any other steps you had to take to secure your webapps?

So it looks to me like the scale of security for web2py is (from least secure to most secure):

  • admin available through http <-- NEVER let this happen!
  • admin only available through https <-- this is what PA does
  • admin only available through an SSH tunnel linked to a different web2py instance
  • admin disabled entirely

So your app could be more secure, but we don't yet support the third method. I think that you can disable the admin interface for your app by deleting from your web2py directory (or moving it somewhere safe so you can easily re-enable it when you want to make changes)