Tor Technical

Deploy Flask and Django Apps on Tor

Python web frameworks like Flask and Django are excellent choices for Tor hidden services — they are lightweight, well-documented, and offer fine-grained control over HTTP behavior. This guide covers deploying Flask and Django applications as .onion services using Gunicorn and Nginx, with attention to preventing IP leaks and optimizing performance for Tor's high-latency network.

Need this done for your project?

We implement, you ship. Async, documented, done in days.

Start a Brief

Flask Application for Tor

Create a minimal Flask application configured for Tor hosting. The key considerations are binding to localhost only and avoiding any external requests that could leak your IP:

# app.py — Flask app for Tor hidden service
from flask import Flask, request
import os

app = Flask(__name__)

# Security configuration
app.config['SECRET_KEY'] = os.urandom(32)
app.config['SESSION_COOKIE_HTTPONLY'] = True
app.config['SESSION_COOKIE_SAMESITE'] = 'Strict'

# Never trust proxy headers on Tor
app.config['PREFERRED_URL_SCHEME'] = 'http'

@app.route('/')
def index():
    return 'Welcome to my .onion site'

@app.after_request
def security_headers(response):
    response.headers['X-Content-Type-Options'] = 'nosniff'
    response.headers['X-Frame-Options'] = 'SAMEORIGIN'
    response.headers['Referrer-Policy'] = 'no-referrer'
    # Remove server header
    response.headers.pop('Server', None)
    return response

if __name__ == '__main__':
    app.run(host='127.0.0.1', port=5000)

The after_request decorator adds security headers to every response and strips the Server header to prevent framework fingerprinting. Binding to 127.0.0.1 ensures the app only accepts connections from the local Tor daemon via the reverse proxy.

Gunicorn + Nginx + Tor Configuration

In production, serve your Flask/Django app with Gunicorn behind Nginx, which handles static files and connection management:

# Run Gunicorn
gunicorn --bind 127.0.0.1:5000 \
  --workers 4 \
  --timeout 120 \
  --access-logfile /dev/null \
  --error-logfile /dev/null \
  app:app
# /etc/nginx/sites-available/onion-python
server {
    listen 127.0.0.1:8080;

    location /static/ {
        alias /var/www/app/static/;
        expires 30d;
    }

    location / {
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP "";
        proxy_set_header X-Forwarded-For "";
        proxy_read_timeout 120s;
    }

    access_log off;
    error_log /dev/null;
}
# Systemd service for Gunicorn
# /etc/systemd/system/onion-app.service
[Unit]
Description=Onion Flask App
After=network.target tor.service

[Service]
User=www-data
WorkingDirectory=/var/www/app
ExecStart=/var/www/app/venv/bin/gunicorn --bind 127.0.0.1:5000 --workers 4 --timeout 120 --access-logfile /dev/null app:app
Restart=always

[Install]
WantedBy=multi-user.target

Disable all logging in both Gunicorn and Nginx to prevent storing request data that could be used to deanonymize visitors. Set the timeout to 120 seconds to accommodate Tor's higher latency.

Django-Specific Configuration for Tor

Django requires additional settings for secure .onion deployment. Update your settings.py to prevent common leaks:

# settings.py — Django settings for Tor hidden service
import os

ALLOWED_HOSTS = ['your56charaddress.onion', '127.0.0.1']

# Disable debug in production
DEBUG = False

# No external static file CDNs
STATIC_URL = '/static/'
STATICFILES_DIRS = [os.path.join(BASE_DIR, 'static')]

# Disable outbound email (would leak IP)
EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'

# Security middleware
SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True
X_FRAME_OPTIONS = 'SAMEORIGIN'

# Session settings
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SAMESITE = 'Strict'
CSRF_COOKIE_HTTPONLY = True

# Disable HTTPS redirect (Tor handles encryption)
SECURE_SSL_REDIRECT = False
SESSION_COOKIE_SECURE = False
CSRF_COOKIE_SECURE = False

# Use console logging only
LOGGING = {
    'version': 1,
    'handlers': {'null': {'class': 'logging.NullHandler'}},
    'root': {'handlers': ['null']},
}

The critical settings are ALLOWED_HOSTS (restricts which hostnames Django responds to), disabled email backend (prevents DNS leaks from outbound email), and disabled SSL redirect (Tor provides its own encryption layer). Set all logging to NullHandler to avoid storing visitor data on disk.

AnubizHost — Python-Ready Tor Hosting

AnubizHost VPS plans support Python deployments with pre-installed Python 3.x, pip, virtualenv, and Tor. Deploy Flask, Django, FastAPI, or any Python web application as a .onion hidden service on our privacy-first infrastructure.

Our offshore servers in Iceland, Romania, and Finland provide the privacy-friendly jurisdictions your project needs. Pay with Bitcoin, Monero, or other cryptocurrencies — no KYC, no identity verification. Your Python .onion service can be live in under 30 minutes, with Gunicorn, Nginx, and Tor all pre-configured by our team.

Related Services

Offshore VPS from $17.90/moDedicated ServersDevOps Services

Why Anubiz Labs

100% async — no calls, no meetings
Delivered in days, not weeks
Full documentation included
Production-grade from day one
Security-first approach
Post-delivery support included

Ready to get started?

Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.

Start a BriefTor Hosting Plans

Support Chat

Online