[ansc]

I think this is the thing with (web) frameworks. Are you really going to remember that? And actually do it? And work around and build those other gnarly things for CSRF, SSRF and XSS? If you only need to serve happy-case HTTP, for sure you're better of without a framework. At least my experience without using a framework is that it's a tad annoying when you need the extras. And requires a lot deeper understanding of things as you don't abstract it away which is good for learning, but might be cumbersome for actually shipping things.

[trinovantes]

For security/safety sensitive tasks, you should be using checklists e.g. [1] so you don't need to remember. Pilots use pre-takeoff checklists to reduce chances of human error. Likewise, you shouldn't assume the framework will give you proper defaults.

[1] https://github.com/0xRadi/OWASP-Web-Checklist