Security reminders

Never save usernames, passwords, or security keys directly in your code or commit them to your repository.

Avoid putting sensitve information in your code by using environment variables. Be sure to check out st.secrets. Research any platform you use to follow their security best practices. If you use Streamlit Community Cloud, Secrets management allows you save environment variables and store secrets outside of your code.

If you use any sensitive or private information during development, make sure that information is saved in separate files from your code. Ensure .gitignore is properly configured to prevent saving private information to your repository.

Streamlit's st.cache_data and st.session_state implicitly use the pickle module, which is known to be insecure. It is possible to construct malicious pickle data that will execute arbitrary code during unpickling. Never load data that could have come from an untrusted source in an unsafe mode or that could have been tampered with. Only load data you trust.

  • When using st.cache_data, anything your function returns is pickled and stored, then unpickled on retrieval. Ensure your cached functions return trusted values. This warning also applies to st.cache (deprecated).
  • When the runner.enforceSerializableSessionState configuration option is set to true, ensure all data saved and retrieved from Session State is trusted.

Still have questions?

Our forums are full of helpful information and Streamlit experts.