Backend workings of Streamlit

Hello streamlit engineers

I’ve been using streamlit for around 2 months now and found it very intuitive and pleasant to use.
I’m creating an app for my bachelor thesis, and in regards to that I would love to become more knowledgeable about the technicalities of how streamlit functions also in regards to security.
As far as I’ve gathered streamlit hosts a web server on port 8501 (if its free) and creates a connection from python to a react frontend.
However I cannot seem to find any documentation on how it exactly does this, nor any documentation on the security of streamlit apart from this blogpost:

Could someone kindly explain how streamlit functions on a deeper level, and what measures are taken in regard to security?

HI @Cubba2412 -

At the most basic level, Streamlit is served via Tornado:

To pass information between Python and JavaScript, the protocol buffers serialization format is used:

After reading through those two, if you have specific questions, let us know and someone in the community or from Streamlit can take a look!


1 Like

Hey Randy

Thank you for the swift response.
I’ve read (part of) the two links you provided and they explain exactly some of the things I was missing. Thank you for that.
I still have a few questions. Firstly just to be sure:

  • Streamlits frontend was created with React and not pure JavaScript right?

Furthermore as far as I can understand, Protocol Buffers are used to make data structure definitions of all the Streamlit component currently in Streamlit. This allows to seamlessly send data back and forth from Python to JavaScript by serializing and subsequently deserializing the data.
This data is sent via HTTP requests made via the web server hosted by the Tornado Framework between JavaScript and Python.

  • Am I missing any (major) steps in this process?

Additionally in regards to security:

  • How secure is a Streamlit application hosted locally on personal server?

I am definitely a novice when it comes to web security, but if you would be able to provide a link with information regarding this I would be exceedingly grateful, as I plan to write a section regarding this in my thesis.
Finally I’ve also developed a custom component and as far as I could gather in the article I initially linked to in the thread these are hosted within an iframe with different sandbox attributes, hence not allowing it to alter the DOM or CSS of the main application, hence making it safe. However in the post it states that you’ve introduced the allow-scripts and allow-same-origin which as it says in the post:

lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.

  • Does this mean that Streamlit components thereby aren’t “safe” and in that case, what measures should be taken against it when using components in ones app?

Best Regards,

In general, yes, things are written in React. But it’s hard to say there’s no JavaScript, since they all compile to JavaScript in the end.

Nope, that’s about it.

Security is a weird topic, because “security” can mean a lot of things. Streamlit is no less secure than any other project that uses Tornado (or other web-standard technology). Adding SSL to your app on a personal server is more involved than hosting on Streamlit sharing, but it’s still possible using Apache or nginx.

In the end, security is a tradeoff between what you are trying to defend against and convenience/ability to share broadly with the world.

This is probably a better question for @tim, who wrote the blog post about components that you are referencing.

1 Like