Security of Panel apps


I’ve just recently discovered Panel, and so far am quite impressed. I can’t find any discussion of security issues in Panel apps. eg is it considered OK to expose them publicly or should they only be used internally? Is it possible for an end user to execute arbitrary python code on the server by clever hacking of frontend javascript? Have any security audits been done, or is there any security analysis
or framework I could look at? That sort of thing.


Excellent question @ianhinder. The Panel server is an extension of the Bokeh server which itself is built on top of Tornado. These are all secure frameworks with many users, so the technology stack in itself does not have any major vulnerabilities. Then we get to Panel itself, which largely just extends Bokeh in a variety of ways. Personally I consider Panel secure although just like in any framework it can be easy to add vulnerabilities in user application code by connecting inputs to SQL queries and/or allowing arbitrary code execution, however these aren’t flaws with the library itself.

For the security review questions I can disclose that at least some clients we work with use Panel extensively in production (using internal and publicly accessible deployments) and have asked their cybersecurity teams perform an security review around a set of Panel applications and did not discover anything. Most however do add an OAuth layer in front of their applications to ensure that unauthorized users can’t easily access the applications.

If you are familiar with this space I would love to hear what kind of documentation we can provide to reassure developers that the framework is secure and if you know what other frameworks do to document security related issues.

1 Like