[FIXED] How to disable XsrfProtection #streamlit

Issue

I have a setup.sh file :

mkdir -p ~/.streamlit/
echo "\
[server]\n\
port=$PORT\n\
enableCORS=false\n\
headless=true\n\
\n\
" > ~/.streamlit/config.toml

When i deploy my app on Heroku : It gives Application error H14, while in my logs I can see a small overriding done:

2022-06-28T13:59:07.660953+00:00 heroku[wev.1]: Restarting
2022-06-28T13:59:07.663151+00:00 heroku[wev.1]: State changed from up to starting
2022-06-28T13:59:08.426158+00:00 heroku[wev.1]: Stopping all processes with SIGTERM
2022-06-28T13:59:08.470430+00:00 app[wev.1]:   Stopping...
2022-06-28T13:59:08.740844+00:00 heroku[wev.1]: Process exited with status 0
2022-06-28T13:59:17.236832+00:00 heroku[wev.1]: Starting process with command `sh setup.sh && streamlit run app.py`
2022-06-28T13:59:17.842753+00:00 heroku[wev.1]: State changed from starting to up
2022-06-28T13:59:19.208294+00:00 app[wev.1]: 2022-06-28 13:59:19.208 
2022-06-28T13:59:19.208305+00:00 app[wev.1]: Warning: the config option 'server.enableCORS=false' is not compatible with 'server.enableXsrfProtection=true'.
2022-06-28T13:59:19.208305+00:00 app[wev.1]: As a result, 'server.enableCORS' is being overridden to 'true'.
2022-06-28T13:59:19.208306+00:00 app[wev.1]: 
2022-06-28T13:59:19.208306+00:00 app[wev.1]: More information:
2022-06-28T13:59:19.208307+00:00 app[wev.1]: In order to protect against CSRF attacks, we send a cookie with each request.
2022-06-28T13:59:19.208308+00:00 app[wev.1]: To do so, we must specify allowable origins, which places a restriction on
2022-06-28T13:59:19.208308+00:00 app[wev.1]: cross-origin resource sharing.
2022-06-28T13:59:19.208308+00:00 app[wev.1]: 
2022-06-28T13:59:19.208309+00:00 app[wev.1]: If cross origin resource sharing is required, please disable server.enableXsrfProtection.
2022-06-28T13:59:19.208309+00:00 app[wev.1]:             
2022-06-28T13:59:19.414636+00:00 app[wev.1]: 
2022-06-28T13:59:19.414646+00:00 app[wev.1]:   You can now view your Streamlit app in your browser.
2022-06-28T13:59:19.414656+00:00 app[wev.1]: 
2022-06-28T13:59:19.414692+00:00 app[wev.1]:   Network URL: http://172.19.20.38:24743
2022-06-28T13:59:19.414722+00:00 app[wev.1]:   External URL: http://3.235.143.6:24743
2022-06-28T13:59:19.414734+00:00 app[wev.1]: 

While running, it is overriding my enableCORS=false to true, I think which is causing my application error.

I have previously posted doubt related to "Application error" : Heroku app Application error even after successful deployment message
Do check it for setup.sh and Procfile details.

How can I disable the XsrfProtection??

Solution

Per the error, server.enableCORS=false is being overridden because server.enableXsrfProtection is set to true. The solution is to set server.enableXsrfProtection=false:

mkdir -p ~/.streamlit/
echo "
[server]
port=$PORT
enableXsrfProtection=false
enableCORS=false
headless=true
" > ~/.streamlit/config.toml

I am also obliged to note what this setting is protecting against, but assume you are familiar with the risks of toggling it off.

Answered By - axsyse

Answer Checked By - Marilyn (PHPFixing Volunteer)