I created a Python Dash Dashboard to interactively display sensitve customer Data. I am using the Dashboard via localhost on my laptop.
I a am initializing and running the app as such:
app = dash.Dash(__name__)
if __name__ == "__main__":
app.run_server(debug = True)
Could the data of the dashboard somehow be accessed by others or is it only accessible from my machine?
Dash is a Python framework built on top of Flask, Plotly.js, React, and React Js.
As per the official Flask documentation the development server on localhost cannot be accessed from outside the host machine unless explicitly configured to do so.
The simplest of Dash apps typically consist of one Python file and have this boilerplate code at the end:
if __name__ == '__main__':
app.run_server(debug=True)
This boilerplate can be modified to allow other devices on the network to access a locally hosted development server by adding the host parameter as follows:
if __name__ == '__main__':
app.run_server(debug=True, host='0.0.0.0')
I created a demo Dash Dashboard on my machine to test this.
At first I made no changes to my PC's firewall configuration and was unable to access the webpage from another computer.
Normally when a new application attempts to expose a port on Windows, you would get a Security Alert (assuming you're using the standard firewall, but other firewalls behave in much the same way):
Assuming that you have not configured the firewall, and you are running the app using the Flask development server and not a production WSGI server, and you haven't touched the config of the Flask dev server you'll be ok.
I was only able to access the app using the dev server once I had made that change to the host parameter. Otherwise accessing the dash webpage will not be possible.
EDIT:
Following what Matt said in his answer --
The asker of the question is using dash in a meeting to present results.
Assuming that you are only running the dashboard for the duration of the meeting, and your device is not actively under attack, and you are in control of the device at all times, generally, you should be ok. If you're worried about being attacked from a local network, don't connect to any networks.
If the data you are dealing with is unbelievably sensitive then it would be sensible to only take the aggregated data with you that you'd need to run the dashboard, if possible.
It depends on what your definition of "secure" is. If it's "can someone just point their browser at my IP and access it" then likely yes, it is secure; but it is not secure from other attacks.
Have you ever wonder how you can "login with google" to other website and see your google avatar ? That's because a website can often make requests to google to ask for informations. Google needs to often explicitly say "no your browser cannot make requests to google.com while visiting attacker.com, but https://stackoverflow.com/ can.".
Same for flask or dash and it's actually a feature and why you can "embed" dash in your enterprise website.
Now what if I create a website that when you load a page, loads http://localhost:8050/ via javascript and send the data to me, if you visit this website. I can likely exfiltrate your data.
Would you visit such a site on purpose ? Likely no. Do you trust all the websites you visit online and have never misclicked on streaming site show you DMCA protected content ? probably less certain.
So if you have really sensitive data no dash is not secure; Not enough by itself.
"Is a locally run python dash application secure for sensitive data?"
To a great extent the best answer is based upon your operating system.
If you are using any Microsoft Windows operating system beyond XP Pro (32 bit) with sp2, or XP Pro (64 bit) with sp1, or Windows 7 (32 or 64) with sp0, then NO.
I expect this to be down-voted. But, the truth is the truth and if you do not like it, then it is still the truth.
Related
I have programmed in python a web application using flask. I decided to deploy it from my home with a raspberry pi which runs the code continuously. I would like it to be accessible from a web browser and for that I have thought to configure my router to redirect the requests to my server. I also took care to configure my firewall accordingly. It turns out that the application works well and is perfectly accessible by typing its public IP in my URL bar. The problem is that I can't access it using a domain name. I have rented a new one and I have configured the DNS records so that it points to my server. I tested the DNS servers and it seems that the pointing is effective. However, when I enter the domain name I don't get my web application but the page of hostinger, the hosting company where I rented the domain name. I have contacted the technical department and they assure me that the problem is not in the DNS but in the hosting, so in my python code. This leaves me perplexed because my web application is accessible from its public IP. So the code should be good.
Please do not hesitate to ask me for additional details, either on the level of my python program or on the level of my server.
Thanks in advance for your help
Every google search result on the question of "how to deploy a dash app" is about how to setup a dash server expose it to the web through a port or your webpage registered global DNS address.
In my case I can't do port forwarding as it is not allowed by sysadmin - and do not have a machine with sufficient resources to deploy my app.
However gradio, streamlit that creates a link that points to the local server worked like charm.
How can I do the same with dash, which basically means:
I start a server in the local machine
Create url accessible by anyone becomes available - that I can copy and share (limited time is also ok)
Do this in a secure way (no code injection vulnerabilities etc)
Do you have anything to propose?
So I got interested into developing apps using Flask. And saw from the Flask documentation that I can use Waitress (I'm on Windows) to deploy my app (or more so to production). I just made a simple app that returns "Hello World"
from flask import Flask, make_response
from waitress import serve
app = Flask(__name__)
#app.route('/get')
def get():
return make_response("Hello World with make_repsonse", 200)
if __name__ == '__main__':
serve(app, host='0.0.0.0', port=8080)
Just the very generic example, I can run it and see it for myself, but how exactly can I have others go to the address and see the message as well? I thought Waitress being a production server would mean that I can deploy this for others to see as long as they have the link. But I can't find any information on this. If I can't, then what is the difference from running the Flask app without Waitress? If I made any mistakes in my assumptions please let me know, as I'm still a beginner at this and might be misunderstanding some of the concepts.
Thanks
The builtin Flask server can only handle one connection at a time.
Waitress can handle many more, depending on its configuration.
Depending on your network and security settings, assuming you develop this app on a pc at work, others can access your app via
http://ip_of_your_pc:8080
If you want your app to be available world wide, I'd suggest to go to a professional hoster.
You have to allow Python through the Windows firewall:
Start
Firewall & network protection
Allow an app through firewall
Change settings
Tick python.exe
OK
Then it will be accessible from other computers on the network, but it's likely with a local IP address that's not visible outside the network. To access it from the rest of the world, configure NAT on your router to allow web requests through to the computer with the server on it then access it using your public IP address (google "what's my IP" to see what it is).
I've been working on a project recently where basically I need to make a motor spin at certain times throughout the day for a few seconds, that can be customised using your phone.
So far I have followed many tutorials and done a lot of browsing and I've managed to have my Pi zero host its own network(using nginx, hostapd and dnsmasq), which you can connect to on your phone and go to 192.168.4.1 to access an index.html page in /var/www/html/
I also have a Python script which, when run, turns one of the GPIO pins on for a few seconds and then off again, and this GPIO pin is in turn connected to the motor.
The trouble I am having is setting up the rest of the web side, where you are able to connect to the network, go to a page, insert 2 or 3 different times, submit them, and then when it's that time the Python scripts will run.
Since I've set up the pi as a access point, I'm not sure how to reverse it and allow it to connect to wifi again without ruining the access point and current set up, so I'm not sure if there's an easy way to download any packages or modules I may need.
Anyway, any help anyone could give me would be incredibly useful - many thanks!!
Unless you are planning for a production web server, for simple application like display sensor status or control sensor via web page, there is a simpler solution for beginners and for python programmers. Since you are using python, so you don't have to use PHP, and you probably don't need to have Nginx at this stage. There are actually two ways in my experiences to do it.
1) Using http.server
The 'simple way' to serve web page using python based on python standard library http.server, utilising python build-in socket based http server. But it is less intuitive to set it up for GET/POST requests/responses. It is too long to describe it here, but I have a blog post on how to do it here.
2) Using Flask web development micro framework
Flask allows you to setup html template, handling route and run a web server easily within python environment. You need to install Flask package for python web development. The simplest flask python code that addressed your question of serving the data to a web page would be:
from flask import Flask, render_template_string
app = Flask(__name__)
data = 200 #assuming this is the data you want to show in your web page
#app.route('/')
def index():
return render_template_string('''
<h1>My Sensor Web Page</h1>
<p>My sensor reading is {}".format(data))</p>
'''
if __name__ == '__main__':
app.run(debug=True)
Launch your browser and point it to http://localhost:8000, you should see the data to be rendered as webpage per our simple example code.
What you will need is to either import your code into this flask example, or integrate it into the example, and pass the data you want to display to render_template_string function.
I would suggest using a web framework to host the "website". Flask is one that I have used for similar applications. Since this method allows you to directly call python functions in response to http requests it should be fairly easy to implement what you are trying to do.
As a bonus, you can use flask with nginx but I really don't think you need it for this specific application.
I'm trying to create a Slack App (see here), but I'm having incredible difficulty with how to create a Redirect URI.
Slack states the following:
You must specify at least one redirect URL for OAuth to work. If you
pass a URL in an OAuth request, it must (at least partially) match one
of the URLs you enter here. Learn more
I have a rudimentary understanding of a Redirect URI conceptually, but I have no idea how to go about actually getting this Redirect URI that Slack requires.
I've successfully used all of Slacks Integrations with Python including Real Time Messaging, but setting up a Redirect URI seems to require a special server or a website.
As already mentioned in the comments you will need a publicly reachable webserver to host your script for installing the Slack app. So the redirect URL is the URL to your installation script.
Basically any webserver or script hosting service that runs your favorite script flavor (e.g. PHP or Python) will work. See also this answer on how the OAUTH process can be implemented.
The redirect URL works without SSL, but for security reasons SSL is strongly recommended. Also many other features of Slack requires you to run SSL on your webserver (e.g. Interactive Buttons)
Another option is to run a webserver on your local machine (e.g. WAMP for windows) and open it to the Internet through a secure tunnel (e.g. ngrok). For developing and testing this is actually the better alternative, since you can test and fix your Slack app locally without having to deploy every change on a public server.
However for running a public Slack app (e.g. one that is listed on the Slack App Directory) I would strongly recommend to put the production version of your App on a public webserver.
If you're just trying to get it up so that you can authorize another workspace you can always use 'http://localhost' after authorizing it will try to redirect you there and you wont be able to see anything useful, but the authorization should still have taken place I believe.
of course if you're looking for the api code, you will have to pull it directly from the browser url. ... it's very manual.