# Security

When using a local web server, you may want to protect your API from unauthorized access.

First, it is advisable to enable SSL for local http server. To accomplish this, simply start the application with the ssl paramater set to True webview.start(ssl=True).

Second, if you use a third party http server with REST API, CSRF attacks (opens new window) can be a major problem. pywebview addresses the problem by generating a session-unique token that is exposed both to Python as webview.token and Javascript as window.pywebview.token. Refer to CSRF cheat sheet (opens new window) for API securing approaches and see Flask app (opens new window) for a concrete example.