Is importing a client module on the server secure?

Zaro · April 27, 2025, 11:42am

Just wanted to ask how secure it is to import a client module on the server.

As anybody has the ability to view and modify the client code, would this affect the imported modules on the server?

I guess my question is whether the import is of the live instance or a copy of the code that is detached from the session and cannot by modified by the app’s users.

Another thing I’m curious about is what happens when an anvil.server.call() located in a client module is executed when said client module is imported and ran in the server code. Does it spin up a new instance?

duncan_richards12 · April 27, 2025, 12:29pm

I’m pretty confident that modules have separate copies on the Server and client since they are on different computers:

The server is on Anvil’s requisitioned AWS server computers
But the client is on the user’s computer

meredydd · April 27, 2025, 2:44pm

Good question – the answer is: No. Importing Modules from Server Modules is safe!

A bit more background if you’re interested:

When code runs on the client side, it runs in a user’s browser, on a device they control. This means the user can cause its browser to do whatever they want: Your client-side code is effectively a suggestion of what their browser ought to do, but you can’t trust they will follow that suggestion.

However, when code runs on the server side, it runs on an Anvil server, and the user does not control those! Anvil servers will always load and run a faithful copy of your source code, straight from the repository – so what you run is what you wrote.

If you haven’t seen it yet, I very much recommend our guide to Client vs Server code:

Broadly, yes. When you call anvil.server.call() from Python running on the server (whether it came from Modules or Server Modules – it all ends up in the same interpreter), it will follow the same rules. That is to say, it goes into the central Anvil runtime, which determines where that call needs to go (eg: is there an Uplink function connected with that name?). If the call should be handled by a server function in your Server Modules, it will be sent to your server-side Python environment and run as a fresh call.

This means that anvil.server.call() is a pretty inefficient way to call one server-side function from another server-side function! If you can import the relevant module and call the function directly, things will go much faster.

If you’re in Module code that might be loaded in either place, you could check anvil.server.is_server_side to work out which it is. Eg:

if anvil.server.is_server_side():
    import ServerModule1
    ServerModule1.some_function()
else:
   anvil.server.call("some_function")

But this can get a bit verbose, so there are some shortcuts. For example, Server Methods in Portable Classes effectively implement the logic I described above: If you call a Server Method when you’re running on the client, it will make a server call; if you call it when you’re running on the server, it will execute as a direct function call.