When using a local web server, you must protect your API from unauthorized access. CSRF attacks can be a major problem if API is not protected in an adequate matter. pywebview generates a session-unique token that is exposed both to Python webview.token and DOM window.pywebview.token. See Flask app for an example.

For building a custom solution refer to this document for API securing approaches. A library like flask-seasurf alongside Flask can be used too.