Security

It is advisable to enable SSL for local HTTP server. To accomplish this, simply start the application with the ssl paramater set to True webview.start(ssl=True). You need to have cryptography pip dependency installed in order to use ssl. It is not installed by default.

If you employ a REST API, CSRF attacks can be a major concern. pywebview mitigates this risk by generating a session-unique token that is accessible in Python as webview.token and in JavaScript as window.pywebview.token. For more information on securing APIs, refer to the CSRF Prevention Cheat Sheet. You can also see a practical example in the Flask app.