A cyber security specialist recently went through my Flask api to see how vulnerable it was and it turns out it was very vulnerable. He was able to retrieve my flask secret key and then view all the sessions and login as an admin and anything else he really wanted to do. He was able to act as admin and get information of all our users.

I am creating a flask web application in Python where a user can input a key and the web app will retrieve the file associated with that key. What is a secure way for the key to be sent over http and https? How would you implement this in a way that someone snooping on my network or who comes across a tcpdump log from that time cannot retrieve the key?