How much of a security risk is it to serve static data from a json file on flask? Values are posted from a mobile device to a server to groom objects to return. My coworker is giving me a lot of shit for it as the file is accessed through a relative path, but the file names are checked and sanitised. He says the objects should be in a database.

Well it kind of depends, is the file only being used for development? And will this JSON file grow? Also are there user passwords stored in this JSON file? I personally would choose to store any data in a database, then serialize it into JSON (which is fairly easy since it is similar to a dict). But if it's only for front end development with test data that will later be stored in a DB, then I say go for it until you're ready to migrate it.

@turturtles no passwords or any personal data, and it will not grow over time. It's just some small sets of recommendations to be given with fields depending on what fields are passed for as per the blood glucose level of the user. All user data is stored in a database with salted passwords

@syzible then I do not see any increase of risk for serving the json file vs making a call to a database for the same data and serializing it into the proper format needed. It's no different than sending an html file for the request. I would definitely make sure to validate any data being posted from the client. This is under the assumption from my understanding of what you stated
User posts a 1 and based on the input of 1 receives the correct json file data based on some server side logic(this was highly simplified)