Flask Webserver Security

Very broad topic, so thank you for bearing with me.

I’m running a flask Webserver locally on raspberry pi and want to open it up to the internet. I have briefly confirmed I can do this by forwarding port 80 to the raspberry pi running flask. The raspberry pi has no sensitive information on it, this is just for fun.

I have changed the default password, required key based ssh (even though I’m not exposing port 80), installed ufw and fail2ban.

The web pages have no user authentication or web form/inputs, they basically grab info from a database and present it on the page. I have read the flask-security docs but they focus on complex websites with many entry points and user input which I don’t have. This is a very basic 1 page app.

Questions:

If a user is browsing my site can they access other computers on my network? How can I protect against if so?

What’s the preferred way of keeping my passwords (to MySQL) safe? Can the browser ever see the contents of my flask app?

If I’m pulling data from MySQL and passing it to the web pages is there anything else I should be concerned about?

What other general concerns should I have? Any recommended reading or videos?