Flask 本番運用ガイド（アプリケーションファクトリ／Blueprint／Flask-SQLAlchemy・Migrate／認証・JWT／Celery非同期／REST API・OpenAPI／キャッシュ・レート制限／テスト／デプロイ／セキュリティ／可観測性／技術選定）の実装記事群

A production-quality guide to Flask authentication. From the decision axis for choosing between Flask-Login (0.6.3) session auth and Flask-JWT-Extended (4.7.4) token (JWT) auth per client type, through register/login/logout, @login_required, current_user, refresh tokens, blocklists, and httpOnly Cookie + CSRF — explained with real code faithful to the official docs. It also honestly maps out the boundary between rolling your own auth and using a managed IdP.

A practical guide to designing async tasks / job queues at production quality with Flask Celery Redis. From the official celery_init_app and FlaskTask app-context integration, shared_task, .delay/AsyncResult, idempotency that withstands at-least-once delivery, the resilience of autoretry/acks_late/visibility timeout, Celery Beat's periodic execution, to a Docker setup that runs workers in a separate container plus Flower monitoring and task_id–correlated logs — explained with real code faithful to the latest Flask official docs and Celery documentation.

An implementation guide to auto-generating OpenAPI/Swagger with Flask-smorest 0.47. Bundle Flask + marshmallow + webargs + apispec to simultaneously generate input validation, response shaping, and the OpenAPI spec from a single schema. @blp.arguments/@blp.response, Swagger UI/ReDoc, pagination, error documentation, protecting Swagger UI in production, and generating openapi.json in CI — explained with real code.

An implementation guide to Flask performance optimization and cost reduction. Measurement-first (p95/p99), Flask-Caching 2.4.0's Redis cache (@cache.cached/@cache.memoize, invalidation), Flask-Limiter's rate limiting and the must-have-shared-Redis trap, and N+1, connection pools, and PgBouncer—all explained with official-compliant real code.

A practical guide to designing a production-quality REST API in the Flask 3.1 line. From MethodView's item/collection two-class structure, as_view+add_url_rule and the register_api factory, resource splitting and /api/v1 versioning with Blueprints, HTTP semantics (idempotency, status codes), to conventions for pagination/filtering and the JSON error envelope — explained with real code faithful to the official docs.

A practical guide to designing and operating Flask SQLAlchemy Migrate at production quality. Explained with real code faithful to the official documentation: Flask-SQLAlchemy 3.1 and SQLAlchemy 2.0's typed Mapped/mapped_column, the 2.0 query session.execute(select), get_or_404・db.paginate, the application context and per-request sessions, the SQLALCHEMY_ENGINE_OPTIONS pool_pre_ping/pool_recycle pool design, the read-replica of SQLALCHEMY_BINDS, and Flask-Migrate (Alembic)'s autogenerate review discipline and CI/CD upgrade.

A practical guide for designing a large Flask 3.1-series app structure at production quality. Explained with real code faithful to the official documentation: the breakdown of the global app and circular imports, the create_app application factory, the bare extension → init_app of extensions.py, Blueprints' url_prefix / endpoint naming / nesting / templates and static files / error handlers / CLI, per-environment Config with from_object + from_prefixed_env, and the src/ layout and the YAGNI discipline of splitting.

An explanation of Flask 3.1's 2 contexts (application / request) faithful to the official spec. We systematize, in real code, the true nature of current_app, g, request, and session, the async-safe mechanism via contextvars + LocalProxy, teardown_appcontext, app_context/test_request_context, copy_current_request_context, and the correct handling of the Working outside of context error.

A complete guide to writing Flask 3.1-series tests at production quality. Explained with real code faithful to the official documentation: why the application factory and test_client make testing easy, the effect of TESTING=True, the app/client/runner pytest-fixture trio, request verification with response.data/json/text, follow_redirects, and session_transaction, test_request_context and app_context, and CLI testing with test_cli_runner.

An implementation guide to deploying Flask 3.1.x at production quality. From why you abandon the development server, the separation of the WSGI app and the server, choosing among Gunicorn/Waitress/uWSGI/mod_wsgi, worker counts and gevent workers, the correct ProxyFix configuration and operating behind an ALB, multi-stage Docker and non-root containers, to graceful shutdown via SIGTERM and zero-downtime deploys on ECS — explained with real code faithful to the official documentation.

An implementation guide for hardening Flask 3.1-series security boundaries at production quality. Explained with real code faithful to the official documentation: the true nature of the client-side signed-cookie session, SECRET_KEY and key rotation, SECURE/HttpOnly/SameSite secure cookies, Flask-WTF's CSRFProtect, Jinja's auto-escaping, HSTS/CSP/nosniff security headers, and DoS countermeasures.

Systematizing Flask 3.1-line production error handling and observability. From errorhandler/abort, custom HTTPException, and resolution order, HTTPException→JSON and a common error envelope, structured logs via dictConfig, request-ID correlation, Sentry integration and PII scrubbing, to ALB/ECS-oriented health checks—all explained with official-compliant real code.

A technology-selection guide comparing the differences of Flask, FastAPI, and Django from the viewpoint of production operation. It organizes architecture philosophy, sync/async, type validation, the admin screen, the learning curve, and current versions in a table, and shows the recommended framework by scenario — REST API, high-concurrency IO, instant admin screen, staged migration. The definitive guide to the Flask FastAPI Django difference, comparison, and selection.