Forums

The pythonanywhere.com subdomain for my webapp is easily known to bots and others, and the web app executes without specifying any subdirectories or file names. So anyone can execute my webapp just by hitting my subdomain? Is it possible to disable this and require a partial or full path to at least obscure access to the web app? I'm not looking for high security, just not having every random bot hit my web app.

Password is overkill. Requiring some special parameter in the request seems kludgy. I just want hits that aren't mine to get a 404 or 403, which a required path would accomplish. Aside from the nuisance of undesired hits, clogging logs, etc., those unwanted hits will go against my resources.

You are on public internet, anyone can hit anything.

On my own server, I can at least bury it in an obscure path, which makes it exceedingly unlikely that it will get hits by bots, scrapers, and other clients with mal-intent, and everything else gets a 4xx status code (and minimal resource usage). I would think PythonAnywhere would want to offer some mechanism to reduce the resources used for hits by irrelevant clients. Not as good as a quick 404 or 403, but sounds like I will need to use some request parameter to pass an "apikey". P.S. looks like I can just not define a route for "/" and that will give a 404 (though still using resources beyond the web server)

Yes, you could bury your app under obscure route, but anyone can hit just the domain and get junk 404.

Yes, that solution works for me. I'm new to Flask, so it wasn't obvious at first. It uses more resources than a plain webserver 404, but I think that's the best option for now.