Security Checklist ¶

Stario is secure by default, but following these patterns ensures your application stays safe.

✅ XSS Prevention ¶

Stario's HTML builder escapes all strings by default. - Safe: Div("<script>...") renders as literal text. - Manual: Use SafeString("<svg>...") ONLY for content you trust.

✅ CSRF Protection ¶

• Cookies: Use samesite="lax" (default) or "strict" for all session cookies.
• Origin: For highly sensitive commands (e.g., DELETE /account), verify the Origin header in your handler.

✅ Cookie Security ¶

Always set these flags for production sessions:

w.cookie("session", sid, httponly=True, secure=True, samesite="lax")

✅ Path Traversal ¶

When serving or saving files based on user input, always sanitize the filename:

from pathlib import Path
safe_name = Path(user_provided_name).name # Strips directory components

✅ Input Sanitization ¶

Don't trust client-side signals. Always validate types and lengths on the server using c.signals(Dataclass).

✅ Secret Management ¶

Never hardcode API keys or database strings. Use environment variables:

import os
DB_URL = os.environ["DATABASE_URL"]