I’ve been using streamlit for around 2 months now and found it very intuitive and pleasant to use.
I’m creating an app for my bachelor thesis, and in regards to that I would love to become more knowledgeable about the technicalities of how streamlit functions also in regards to security.
As far as I’ve gathered streamlit hosts a web server on port 8501 (if its free) and creates a connection from python to a react frontend.
However I cannot seem to find any documentation on how it exactly does this, nor any documentation on the security of streamlit apart from this blogpost:
Could someone kindly explain how streamlit functions on a deeper level, and what measures are taken in regard to security?
Thank you for the swift response.
I’ve read (part of) the two links you provided and they explain exactly some of the things I was missing. Thank you for that.
I still have a few questions. Firstly just to be sure:
Streamlits frontend was created with React and not pure JavaScript right?
Furthermore as far as I can understand, Protocol Buffers are used to make data structure definitions of all the Streamlit component currently in Streamlit. This allows to seamlessly send data back and forth from Python to JavaScript by serializing and subsequently deserializing the data.
This data is sent via HTTP requests made via the web server hosted by the Tornado Framework between JavaScript and Python.
Am I missing any (major) steps in this process?
Additionally in regards to security:
How secure is a Streamlit application hosted locally on personal server?
I am definitely a novice when it comes to web security, but if you would be able to provide a link with information regarding this I would be exceedingly grateful, as I plan to write a section regarding this in my thesis.
Finally I’ve also developed a custom component and as far as I could gather in the article I initially linked to in the thread these are hosted within an iframe with different sandbox attributes, hence not allowing it to alter the DOM or CSS of the main application, hence making it safe. However in the post it states that you’ve introduced the allow-scripts and allow-same-origin which as it says in the post:
lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.
Does this mean that Streamlit components thereby aren’t “safe” and in that case, what measures should be taken against it when using components in ones app?
In general, yes, things are written in React. But it’s hard to say there’s no JavaScript, since they all compile to JavaScript in the end.
Nope, that’s about it.
Security is a weird topic, because “security” can mean a lot of things. Streamlit is no less secure than any other project that uses Tornado (or other web-standard technology). Adding SSL to your app on a personal server is more involved than hosting on Streamlit sharing, but it’s still possible using Apache or nginx.
In the end, security is a tradeoff between what you are trying to defend against and convenience/ability to share broadly with the world.
This is probably a better question for @tim, who wrote the blog post about components that you are referencing.
Thanks for stopping by! We use cookies to help us understand how you interact with our website.
By clicking “Accept all”, you consent to our use of cookies. For more information, please see our privacy policy.
Cookie settings
Strictly necessary cookies
These cookies are necessary for the website to function and cannot be switched off. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.
Performance cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us understand how visitors move around the site and which pages are most frequently visited.
Functional cookies
These cookies are used to record your choices and settings, maintain your preferences over time and recognize you when you return to our website. These cookies help us to personalize our content for you and remember your preferences.
Targeting cookies
These cookies may be deployed to our site by our advertising partners to build a profile of your interest and provide you with content that is relevant to you, including showing you relevant ads on other websites.