What Are the Risks of Making My Flask Dev Server Publicly Accessible?

Keep in mind that running a Flask server in production can lead to issues, especially with memory leaks and various security vulnerabilities. It's best to have a solid reverse proxy setup like Nginx or a protective solution like Cloudflare in front of it for reliability.

The risk of exposing your setup largely depends on your Tailscale security. If your account or a device on your network gets compromised, someone could potentially gain access. However, exposing an SSH service with key authentication on a non-standard port might even be less risky. Just be mindful when forwarding any web services to the public since there are always vulnerabilities to consider.

It's really important to run your server with Gunicorn instead of the default Flask development server. The docs clearly state that the dev server isn't meant for production use since it's not very secure or stable. Switching to Gunicorn is just a single dependency away, and it's better for running a real server. You might also want to set up Caddy as a reverse proxy in front of Gunicorn to handle HTTPS for added security.

Tailscale adds an extra layer of security, so if it’s just for your own usage, keeping it on the tailnet is a good move. But remember, the Flask dev server doesn't belong in a production environment, regardless of whether you limit access to it or not.

When I used Caddy with Cloudflare in front of a local server, I only ran into issues when my electricity went out. If it’s just for personal use, that’s fine, but if you're exposing it for others, I'd suggest looking into a VPS instead for more reliability.