Is file_uploader secure enough for sensitive data?

Dear all,

I am making a streamlit app where a non-tech-savvy professional can upload (with st.file_uploader) a csv/excel report containing sensitive data about clients. My app visualizes those data.

I have no experience with cyber security and am wondering if this approach is secure (provided I use SSL/TLS), or whether the data can leak somehow? Are they send to and from my app encrypted? In another post someone shared the following:

I’m breaching the “locally” part but could you host your Streamlit app on a server and use the st.file_uploader so users can upload their private data and analyze it ? Each user should get their session and not access other people’s sessions.

Would really appreciate your input!

1 Like

Hi @NHameleers, thanks for checking out Streamlit!

Even with SSL/TLS, I would caution that Streamlit hasn’t currently proven (AFAIK) that information doesn’t leak across sessions, where by “proven” I mean certified by any external security audit. Part of the design of the Streamlit cache is to share across sessions, providing a performance boost to all users of an app. If you’re not caching the results, this might not be an issue, but again, we don’t have documentation to prove its safety.

So with an app on an internal VPN, it might practically be secure enough, it is not something that we can guarantee at this time.


1 Like