in server/__init__py:35
If a server admin forgets to set the APP_SETTINGS env or has a typo there the projects starts in development mode.
For security reasons the default mode should be production - still better to start in broken production environment than starting in develop mode where e.g. authentication might be disabled

Sounds good. Want to do a PR?