Security issue - stack trace best practices?

Oliver_Rock · January 30, 2023, 10:42am

How to mitigate the security issue of streamlit displaying stack traces

By default, streamlit is displaying stack traces to the user. For me this is considered a high risk security breach as it displays code to a user. They may be able to access secrets or other dangerous info from the code.

At the moment I run my entire app in a try/except block to mitigate this.

I have two questions:

Is this the accepted method for hiding the stack trace from users?
Is there any way that a stacktrace could still be shown to a user?

Thanks for any advice

My current setup

Code snippet:

if __name__ == "__main__":
    try:
        # method to run the app
        run()

    except Exception as e:

        st.error(
            "An error occurred during this operation. Please reload the page and try again."
        )
        logging.exception("Exception caught at while running app")

Caroline · January 31, 2023, 9:49pm

Hey @Oliver_Rock,

Have you checked out the config options? You can set the following in your config.toml file:

# Controls whether uncaught app exceptions are displayed in the browser. By default, this is set to True and Streamlit displays app exceptions and associated tracebacks in the browser.
# If set to False, an exception will result in a generic message being shown in the browser, and exceptions and tracebacks will be printed to the console only.
# Default: true
showErrorDetails = true

Oliver_Rock · March 1, 2023, 11:00am

Thanks for the tip! But I have been trying out this config but it seems to not work consistently. For example, when my app is using multiple pages