Hi @v.v.avudainayagam - glad you’re enjoying Anvil!
First, I want to say that Anvil isn’t a black box! The runtime system used by both the App Server and our hosted service is on GitHub for anyone to audit.
We’ve had some customers commission their own private penetration tests – so far, no major vulnerabilities found (although nobody’s code is perfect, and we are always grateful for reports at security@anvil.works). Some fairly large companies including Vodafone, Baker Tilly, and others – including quite a few we can’t mention – trust Anvil’s security.
Speaking more generally, Anvil’s model is significantly more secure than traditional web frameworks. The OWASP Top Ten vulnerability list is dominated by injections and confusions that are inherent to layering HTML+JS+CSS, REST APIs, and so on. Because you’re using a Python UI toolkit, you have to work quite hard to introduce an XSS vulnerability into an Anvil app. Even if you do use HTTP endpoints, Anvil automatically defends against attacks like CSRF. And, of course, all the pitfalls of hand-rolled authentication can be avoided with the out-of-the-box Users Service. (And the pitfalls of hand-rolled encryption with the Secrets Service, and so on.)
There are some fun results indicating that the number of bugs is roughly proportional to the number of lines of code in your project – which means that, by making your web apps easier to build, Anvil automatically makes them more secure.
In short, Anvil is production-ready, trusted by the big boys, and engineered to substantially reduce the risk of creating security vulnerabilities in your own apps.