When using a local web server, you must protect your API from unauthorized access. CSRF attacks (opens new window) can be a major problem if API is not protected in an adequate matter. pywebview generates a session-unique token that is exposed both to Python
webview.token and DOM
window.pywebview.token. See Flask app (opens new window) for an example.
For building a custom solution refer to this document (opens new window) for API securing approaches. A library like flask-seasurf (opens new window) alongside Flask can be used too.