Streamlit: An Unseen Security Vulnerability
So, while I was creating a project by using generative ai. I came across this one particular error apart from my bad code (sarcasm lol).
Let's breakdown how we can solve this error while utilizing this beautiful library called Streamlit.
Streamlit is a free and open-source framework that allows machine learning engineers to quickly build and share beautiful web apps for machine learning and data science. This Python-based library is designed to streamline the development process.
although, streamlit has an extensive community of developer who work on fixing bugs and discussing online, there is this one common bug which has not been fixed yet, and that is
AxiosError: Request failed with status code 403
This is one of the common error most developers are facing while using streamlit app for importing some sort of file (such as PDF, CSV, etc.)
in spite of various version releases, streamlit still have this error. With some research and google search, I come across the discussion page of streamlit community who all are facing same exact error since long time.[1]
So, What is an Axios Code Error 403???
An Axios 403 error in streamlit indicates that the server/API understands your request but denies access. This web scraping issue often arises when the server flags you as a bot due to IP bans, rate limiting, request filtering, misconfigured headers, or advanced anti-bot protections like Cloudflare.
The error typically looks like this in your interface:
Here is a few additional info:
- the app is deployed on a Kubernetes cluster managed by Azure.
- we have a service that maps the changing IP of the streamlit pod to a fixed IP.
- we have a proxy that associates a URL from our domain name to this fixed IP.
- the Streamlit container is root user on its pod.
- neither the container logs, nor the pod logs, show anything particular when the error is thrown.
- there is an authentication required to access the app, but no authorization requirement.
Well for the solution, most of the people from discussion suggest using
streamlit run app.py - server.enableXsrfProtection falsein spite of this solution being easy to use and voilà, now the application is working as great, this is not a desirable solution, because it reduces the security level of the webapp.
You might ask why this solution is not good? well to answer that lets understand how this command works under the hood.
Enable XSRF Protection: An XSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it’s included in a subsequent HTTP request made by the client.
All requests made to Struts Actions which are not GET (or HEAD, OPTIONS, TRACE) requests will require a token unless explicitly opted out. All GET (or HEAD, OPTIONS, TRACE) requests will not require a token unless explicitly opted in. Ideally, your app will not have any Actions that accept these safe request methods and mutate application state, and so explicitly opting in should be rarely required. A Struts action can be configured to require or not require a token in 2 ways.[2]
So, when to use CORS and XSRF Protection parameters??
Truthfully, CORS and Xsrf protection are very complex security policies that are difficult for most users. Streamlit enable them by default because they represent the most secure posture for Streamlit apps. When should they adjust the values? Truthfully, they shouldn’t . They should only turn it off if they understand the security risk they are making by doing that. One can read up on CORS 68[3] and Xsrf 57[4] in MDN. There are plenty of videos, tutorials, and games that would instruct more on what this means.
References:
- https://discuss.streamlit.io/t/file-upload-fails-with-error-request-failed-with-status-code-403/27143
- https://developer.atlassian.com/server/confluence/enable-xsrf-protection-for-your-app/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
- https://developer.mozilla.org/en-US/docs/Web/Security/Types_of_attacks#cross-site_request_forgery_csrf
