Like I did last year, I reserved some time during my holiday break to prepare an independent report of the Flask ecosystem in 2025.

A couple of months ago, I received a request from a random Internet user to add CSRF protection to my little web framework Microdot, and I thought it was a fantastic idea.

When I set off to do this work in early November I expected I was going to have to deal with anti-CSRF tokens, double-submit cookies and hidden form fields, pretty much the traditional elements that we have used to build a defense against CSRF for years. And I did start along this tedious route. But then I bumped into a new way some people are dealing with CSRF attacks that is way simpler, which I describe below.

You may have seen the recent reports of a malware that stole API keys, tokens and other secrets from a large number of developers. From where were these secrets stolen from? You guessed it, they were mostly stolen from environment variables.

We use environment variables to configure information that processes need to run, but this type of storage was not designed for security, so using the environment for secrets always comes with risk. Given how serious this recent attack was, I thought it would be good to write a short article describing how I manage my secrets as part of my open source work.

In November of 2024 I wrote a blog post titled "Is Python Really That Slow?", in which I tested several versions of Python and noted the steady progress the language has been making in terms of performance.

Today is the 8th of October 2025, just a day after the official release of Python 3.14. Let's rerun the benchmarks to find out how fast the new version of Python is!

In the Q&A session following my EuroPython 2025 presentation about the Microdot web framework, a member of the audience asked me what the performance of MicroPython running on a microcontroller is. This took me a bit by surprise, because I really had no way to quantify it, I just knew it was, in vague terms, not great. I never questioned the low performance, because it was never a problem for me.

My answer to the question was that microcontrollers cannot replace a computer, and that these devices are only useful for small, focused tasks that are not demanding in any way. But after returning from the conference I kept thinking about this question, which piqued my curiosity. So I decided to build a better mental image of the performance these little machines have.

In this blog post I want to share some results that compare Python code running on a few microcontroller boards that I have collected through my experiments with hardware, along with my laptop and a Raspberry Pi 4 to help put things into perspective.

People keep asking me If I use Generative AI tools for coding and what I think of them, so this is my effort to put my thoughts in writing, so that I can send people here instead of having to repeat myself every time I get the question.

From the title you already know that this isn't a pro-AI blog post. But it isn't an anti-AI post either, at least I don't think it is. There are already plenty of articles by AI promoters and AI critics, so I don't feel there is a need for me to write one more of those. While I'm definitely not neutral on the subject, in this article I'm just going to share my personal experience with these tools, from a strictly technical point of view.

My article on creating a React + Flask project is one of the most visited on this blog. Can you believe that I wrote it over 5 years ago?

In this article and video I'm going to share how I'm building this type of project in 2025. The main change I've introduced since I documented my 2020 process is that now I'm using Vite (French word that is pronounced "veet" and means "quick") instead of create-react-app to scaffold the React application, since the latter isn't maintained anymore.

The other day I shared my code editor window during a video call with a client, and he immediately did a double take. "How did you make your code look like that?", he wanted to know. Have a look at the following screenshot and see if like my client, anything calls your attention:

If you are wondering what secret keyboard trick allows you to type ≠, ≤, ≥ and other unusual characters, and then how to get Python and other programming languages to accept them then read on, as this is much easier than you think and you can do it too!

I've been given a review copy of The Quick Python Book, Fourth Edition by Naomi Ceder, published by Manning. Since I often get asked for Python book recommendations, I thought it would be a good idea to share a review, in case you are looking for material to sharpen your Python skills.

A common need in web applications is to create a form that allows the user to enter a list of items, with the number of items not known in advance. This is a pattern often used when entering user information, specifically for phone numbers or addresses, but has a lot of other uses as well. In the example below you can see how the user dynamically adds more phone numbers to the form by clicking the "Add another" link.

Implementing this with Flask is surprisingly tricky, as it requires a combination of back and front end techniques working together. In this article I will show you two possible solutions, a basic one that uses only Flask and a more complete one for the Flask-WTF form handling extension.