Streamlit

Security scanning for Streamlit apps

Streamlit accelerates data app development for ML engineers — but the typical Streamlit deployment is on a public URL with no auth. If your app handles real data, run a scan to confirm the basic perimeter (headers, TLS, secrets) is in place.

Most common issues

  1. 01st.secrets file accessible via the deployed URL if misrouted
  2. 02Streamlit Cloud apps with no authentication, exposing data widgets to anyone
  3. 03Missing CSP/HSTS on custom-deployed Streamlit (Render, Cloud Run)

What SafeToShip checks for Streamlit

  • exposed-files
  • js-secrets
  • headers
  • ssl
  • tech-detect

FAQ

Frequently asked questions

How do I add auth to a Streamlit app?
Streamlit Community Cloud has built-in Google sign-in via "Settings → Sharing → Viewer access". For custom deploys, wrap with an OAuth proxy (Pomerium, Cloudflare Access) or use streamlit-authenticator.
Is st.secrets safe?
Yes when used on the server side only. The secrets.toml file should never be at a publicly-served path — confirm with a SafeToShip scan.

Fix guides

Common Streamlit fixes

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Read more

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Read more

Missing HSTS header

HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.

Read more

Run a Streamlit security scan

Free. 70+ checks. 60 seconds.