Protect your secrets
Never save usernames, passwords, or security keys directly in your code or commit them to your repository.
Use environment variables
Avoid putting sensitve information in your code by using environment variables. Be sure to check out
st.secrets. Research any platform you use to follow their security best practices. If you use Streamlit Community Cloud, Secrets management allows you save environment variables and store secrets outside of your code.
If you use any sensitive or private information during development, make sure that information is saved in separate files from your code. Ensure
.gitginore is properly configured to prevent saving private information to your repository.
st.session_state implicitly use the
pickle module, which is known to be insecure. It is possible to construct malicious pickle data that will execute arbitrary code during unpickling. Never load data that could have come from an untrusted source in an unsafe mode or that could have been tampered with. Only load data you trust.
- When using
st.cache_data, anything your function returns is pickled and stored, then unpickled on retrieval. Ensure your cached functions return trusted values. This warning also applies to
- When the
runner.enforceSerializableSessionStateconfiguration option is set to
true, ensure all data saved and retrieved from Session State is trusted.
Still have questions?
Our forums are full of helpful information and Streamlit experts.