5

I created a Python Dash Dashboard to interactively display sensitve customer Data. I am using the Dashboard via localhost on my laptop. I a am initializing and running the app as such:

app = dash.Dash(__name__)

if __name__ == "__main__":
    app.run_server(debug = True)

Could the data of the dashboard somehow be accessed by others or is it only accessible from my machine?

vestland
  • 55,229
  • 37
  • 187
  • 305
Henri
  • 61
  • 1
  • 3
  • 1
    Try to access the web application with your network IP address instead of localhost – Husseinfo Apr 16 '21 at 14:23
  • Thanks for your response! @Husseinfo I am new to this topic. How would I go about accessing the app with my network IP? Would that be to check if any random person can access the site? – Henri Apr 20 '21 at 15:45
  • People on your network can access any service running on your host using your IP address, thus when you enter by IP you are simulating a network access, not a local access. – Husseinfo Apr 20 '21 at 15:48
  • @Husseinfo Would you care to make a complete example of your comment and post that as a question. Something along the lines of `"No, it's not secure because..."` ? – vestland Apr 22 '21 at 15:28

3 Answers3

5

Dash is a Python framework built on top of Flask, Plotly.js, React, and React Js.

As per the official Flask documentation the development server on localhost cannot be accessed from outside the host machine unless explicitly configured to do so.

The simplest of Dash apps typically consist of one Python file and have this boilerplate code at the end:

if __name__ == '__main__':
    app.run_server(debug=True)

This boilerplate can be modified to allow other devices on the network to access a locally hosted development server by adding the host parameter as follows:

if __name__ == '__main__':
    app.run_server(debug=True, host='0.0.0.0')

I created a demo Dash Dashboard on my machine to test this.

At first I made no changes to my PC's firewall configuration and was unable to access the webpage from another computer.

Normally when a new application attempts to expose a port on Windows, you would get a Security Alert (assuming you're using the standard firewall, but other firewalls behave in much the same way):

Windows Security Alert

Assuming that you have not configured the firewall, and you are running the app using the Flask development server and not a production WSGI server, and you haven't touched the config of the Flask dev server you'll be ok.

I was only able to access the app using the dev server once I had made that change to the host parameter. Otherwise accessing the dash webpage will not be possible.

EDIT:

Following what Matt said in his answer --

The asker of the question is using dash in a meeting to present results.

Assuming that you are only running the dashboard for the duration of the meeting, and your device is not actively under attack, and you are in control of the device at all times, generally, you should be ok. If you're worried about being attacked from a local network, don't connect to any networks.

If the data you are dealing with is unbelievably sensitive then it would be sensible to only take the aggregated data with you that you'd need to run the dashboard, if possible.

Cerberton
  • 376
  • 2
  • 7
  • 16
  • 2
    Thank you for you're comprehensive reply! @Cerberton I am just looking to visualize some interactive python data analysis for a presentation and tried out dash. So i wanted to make sure I was not outputting the data publically. I also tried accessing the dashboard like such: http://: . That did not yield a response. Is that a valid way to test public access? How did you test the public accessiblity? – Henri Apr 22 '21 at 18:37
  • Hi @Henri, exciting stuff - you definitely chose a good tool for the job. You should be perfectly fine. Regarding the public access - Windows Firewall blocks those ports by default, if you've never hosted a live web server from your laptop those ports should be closed and you'll be ok. If you are really concerned, then you can open up Windows Firewall (I am assuming that your machine has Windows Firewall) by going to Windows Defender Firewall with Advanced Security and looking at the Inbound and Outbound rules, blocking any connections for python.exe – Cerberton Apr 22 '21 at 19:12
  • BUT unless your laptop computer is actively under attack during your presentation (unlikely) then I really wouldn't worry. – Cerberton Apr 22 '21 at 19:12
  • @Henri - I've actually got confirmation for you that you're safe if you're using the default dev server in debug mode. Updating my answer. – Cerberton Apr 22 '21 at 19:14
  • 1
    I will check out the Windows Defender setting just to see what I can find. Thank you for taking so much time to answer my question in detail! I really appreciate it, since I am a student at the beginning of my python data analysis journey :) – Henri Apr 22 '21 at 19:59
  • I'm excited for you @Henri, please mark this as the accepted answer if it does answer your query! – Cerberton Apr 22 '21 at 20:06
  • 1
    Be really careful, even if the ip is only accessible from your local machine, dash may be susceptible to cross-site requests and data exfiltration. This is why for example other local application like jupyter asks you for a token when you start the server. It might not be easy to access, but if you could be a sensitive target then no, dash on your machine is not secure. – Matt Apr 28 '21 at 02:27
  • 1
    I'm still not quite sure to whom the bounty should be awarded. But I would strongly suggest to all that have been involved in this answering process to be a bit more generous with your up-votes. Both contributions are after all undeoubtedly useful. – vestland Apr 28 '21 at 20:28
3

It depends on what your definition of "secure" is. If it's "can someone just point their browser at my IP and access it" then likely yes, it is secure; but it is not secure from other attacks.

Have you ever wonder how you can "login with google" to other website and see your google avatar ? That's because a website can often make requests to google to ask for informations. Google needs to often explicitly say "no your browser cannot make requests to google.com while visiting attacker.com, but https://stackoverflow.com/ can.".

Same for flask or dash and it's actually a feature and why you can "embed" dash in your enterprise website.

Now what if I create a website that when you load a page, loads http://localhost:8050/ via javascript and send the data to me, if you visit this website. I can likely exfiltrate your data.

Would you visit such a site on purpose ? Likely no. Do you trust all the websites you visit online and have never misclicked on streaming site show you DMCA protected content ? probably less certain.

So if you have really sensitive data no dash is not secure; Not enough by itself.

Matt
  • 27,170
  • 6
  • 80
  • 74
-2

"Is a locally run python dash application secure for sensitive data?"

To a great extent the best answer is based upon your operating system.

If you are using any Microsoft Windows operating system beyond XP Pro (32 bit) with sp2, or XP Pro (64 bit) with sp1, or Windows 7 (32 or 64) with sp0, then NO.

I expect this to be down-voted. But, the truth is the truth and if you do not like it, then it is still the truth.

rollerbladegirl
  • 5
  • 1
  • 3