Could this message maybe be extended with some more specific or useful information?

Maybe something like:

Recent requests to /robots.txt indicate that this deployment may be accessible to the public internet.

This warning can be disabled by setting webserver.warn_deployment_exposure=False in the configuration.

We could also link to a page in the docs with more information on webserver security.

Flask uses cookie-based sessions. This warning will therefore only be displayed to clients who have visited /robots.txt, in our case bot crawlers. I think we should notify the administrator about this situation, not the bot.

what would be the best way to display the message for admin team? is there some way to post the message only for admin sessions?

I guess you need to write it down to the database as a new table or to the event log table.

Should this be limited to the last week or something? The warning message explicitly states that Recent requests have been made to /robots.txt but this could be triggered by very old requests.

There's also no way to clear this entry without deleting the log event so it might persist for a long time, even if the vulnerability is fixed.

Wondering if it would be good enough to clear requests older than a week and only display the message on recent requests

Could we also just query for events within one week old? Something like:

robots_file_access_count = (
    session.query(Log)
    .filter(Log.event == "robots")
    .filter(Log.dttm > (utcnow() - timedelta(days=7)))
    .count()
)

I don't think this warning can be disabled? I don't see the value of warn_deployment_exposure actually being referenced anywhere other than the config.

removed it during a merge, I will put it back in the if statement

In one sentence, we are talking about a configuration option, and then we link to a documentation that does not contain a description of that option.

I will add the config to documentation

This query should only be run if webserver.warn_deployment_exposure is enabled. Otherwise its putting additional load on the database for no reason, since the warning isn't going to be displayed anyways.

Can you use the get_docs_url function? Thanks to it, the link will be pinned to the version.

Probably:

I think that this value will need to be updated, but if this is merged in the next week or two it will probably be included in the 2.2.3 release.

Let's make it 2.3.0 please -- this won't be included in 2.2.3