Hello there,
I would like to ask is there a way in streamlit to set that other users cant embed my application using the iframe src? Because to stop this I tried to embed it inside a flask api endpoint and controll http headers like that but that is cumbersome and might not work for production at all.
Thanks for the answers!

Hey @Simon2! I am not sure whether it would help with your scenario, but it might be worth trying setting --server.enableCORS=false --server.enableXsrfProtection=false when you start the Streamlit app (see Docs)

Wouldnt this lower the security of the app? During hte startup of the server cant i block the header thats always sent with the iframe tag if someone from other wesite wants to embed my app into theirs?

oh oops, sorry I misread your question! I thought you wanted to enable it but you actually want to block it from happening, right?

It does not look like we allow configuring CSP headers or so right now.
We have two open issues here for it:

• Allow configuring HTTP Security Headers · Issue #9160 · streamlit/streamlit · GitHub
• Handling Security Headers in Streamlit · Issue #6417 · streamlit/streamlit · GitHub

and the best would be to upvote them!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.