Gradio

Security scanning for Gradio apps

Gradio + HuggingFace Spaces is the fastest way to ship an ML demo — and the fastest way to ship a leaky one. The platform exposes everything by default. Scan to find what should be locked down.

Most common issues

  1. 01Public Spaces with sensitive model weights or training data accessible
  2. 02API keys (OpenAI, Anthropic) hardcoded in app.py instead of using HF Spaces secrets
  3. 03Missing security headers on custom-deployed Gradio apps

What SafeToShip checks for Gradio

  • js-secrets
  • exposed-files
  • headers
  • ssl
  • tech-detect

FAQ

Frequently asked questions

How do I add auth to a Gradio Space?
gr.Interface(..., auth=("user", "pass")) for basic gating, or set "Private" in Space settings. For real auth, use HuggingFace OAuth via @gr.OAuth or wrap with a reverse proxy.
Where do I put secrets in a HuggingFace Space?
Settings → Variables and secrets. Reference in your code via os.environ. Never hardcode in app.py — Space code is publicly browseable.

Fix guides

Common Gradio fixes

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Read more

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Read more

Missing HSTS header

HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.

Read more

Run a Gradio security scan

Free. 70+ checks. 60 seconds.