Dear all,

I am making a streamlit app where a non-tech-savvy professional can upload (with st.file_uploader) a csv/excel report containing sensitive data about clients. My app visualizes those data.

I have no experience with cyber security and am wondering if this approach is secure (provided I use SSL/TLS), or whether the data can leak somehow? Are they send to and from my app encrypted? In another post someone shared the following:

“I’m breaching the “locally” part but could you host your Streamlit app on a server and use the st.file_uploader so users can upload their private data and analyze it ? Each user should get their session and not access other people’s sessions.”

Would really appreciate your input!

Hi @NHameleers, thanks for checking out Streamlit!

Even with SSL/TLS, I would caution that Streamlit hasn’t currently proven (AFAIK) that information doesn’t leak across sessions, where by “proven” I mean certified by any external security audit. Part of the design of the Streamlit cache is to share across sessions, providing a performance boost to all users of an app. If you’re not caching the results, this might not be an issue, but again, we don’t have documentation to prove its safety.

So with an app on an internal VPN, it might practically be secure enough, it is not something that we can guarantee at this time.

Best,
Randy

Thanks for the response, I had similar question. So, the recommendation is that better to remove st.cache() for st.file_uploader functionality if the streamlit app is hosted on the server where users might use sensitive data being uploaded… There could be issues with data leak across sessions since by design streamlit cache will be shared across sessions. Is my interpretation right?