Hello,
I just noticed that the API key is included in the web page code (anybody could hack our backend) and cannot be encrypted (is this meant by encode?). I can encode the Get Record and Update Record URL placeholders. This is a critical issue. How can I make my app safe?
Thanks for answering this soon.
Kind regards,
Bert
By chance I found a similar question (thereās no solution so far): Ninox Database - Thread / Optain Bearer-Token Client-Side?
I found a possible solution: Pipedream. But Iām not familiar enough with this tool to create a working workflow. Any expert out there? I would also pay for assistance.
I am afraid you are mixing things up here.
- including the API-key in the url is standard and thereby accessible by anybody. The API-key is not meant to secure data.
- āencodingā is not anything similar to encryption. You can find the information e.g. on wikipedia here: Percent-encoding - Wikipedia
- securing your data needs to be done in your backend configuration by setting the āsecurity rulesā. In case you are using firebase for the backend, you can read about its security rules here: Firebase Security Rules Ā |Ā Firebase Documentation
- Passing the bearer-token in the header of a http request will identify the user. If this is required to retriebe data depends on the āsecurity rulesā of your server.
Hi,
Thanks Pipedream I could resolve the issues in the meantime. I also found the definition for āencodingā in the meantime and could apply it. Of course I could have used basic authentication (user name/password) but for our purpose this would be too complicated and isnāt required either.
Kind regars,
Bert
@Bertrand_Gillert Sounds like you got the answer but if you want more info on security in your apps, we have a general primer on the topic