-
Security practices - IPv6 / DNSSEC / HTTPS / HSTS
We've done a project for a dutch govermental organisation on another platform recently. A lot of effort went into getting the security rating of the platform suffienctly high to pass their IT requirement. Because of this we also started looking at how Xano scores on their metrics. Xano in a default configuration starts at…
-
Flutterflow + Xano + Firebase security
Hi everyone! Recently started a FlutterFlow project, I'm using Xano as the backend, and Firebase for auth and notifications. I'm storing the phone number used during login as an app state variable, which I then use as the identifier to get that user's data from Xano. This method works well, but I'm not sure about the…
-
Backups?
Hello, I think my Gmail account (which I use to connect to xano) was compromised and I'm a bit paranoid right now, changed the passwords and enabled the 2FA. I know that xano keeps a backup for 3 days or so, but on the dashboard, it says - Just wanted a bit more clarification, in case someone would be able to access my…
-
Change old user password
I have a post api to change user data, the password change function is now implemented as follows: Input "confirmOldPassword" should be equal to the old password, if this is true input "InputNewPassword" should replace the old password value. I don't know how to implement security for this logic, maybe it can be…
-
Handling Non-Printable Characters and Blacklisting in Database Field Validation
Hi Xano community, I have two questions around data field validation. Recently, we undertook a penetration test which suggested we enforce stricter field validation, mostly to prevent cross-site scripting attacks. While Xano's "filter" feature has been helpful (see the bottom of this page on Xano's documentation), we have…
-
Is there a plan to move record ids in the databases from ascending numeric to uuid?
Hi All, Was wondering from the perspective of security is there a roadmap to implement uuids? I don't mean as a function as I am aware that there is such a capability in Xano(https://docs.xano.com/working-with-data/functions/security#uuid), but rather as a default for the database. Any feedback will be much appreciated.
-
What type of security can I use on my Endpoints?
Hello everyone, maybe this is a very extensive question and it can have several points of view, but I would like to limit the question to: How can I have a security "filter", so that somehow the origin of the request can be recognized and depending on this it can take X or Y variables. This in order that if a user would…
-
What is best practice workflow to set up 1) update and 2) reset forgotten password in Xano+Bubble?
I am using Bubble for front end and migrating back end to Xano. I have workflows set up for new user sign-up, login and log-out using Xano's helpful video series. However I am struggling to find similar best practices for setting up a secure workflow for a user who wants to update their password within the web-app, or for…
-
Environment Variables and Protecting Exposure to Limited Access Developers?
Hello All, did some searchign but not finding this specific use case: Is there a way to restrict access to environment variables so that a function can not expose them, but still be used in the API? If I rely on RBAC (Enterprise) to manage team members, they can still see envirnment variables which is a problem in our use…
-
Need help connecting APIs using Xano? Let's collaborate and streamline your integration process!
As a Xano user for almost a year, I'm excited to offer my assistance with API integration. While I have experience with the platform, I'm always eager to learn more and improve my skills. In fact, I believe that the best way to continue learning is through collaboration and working with others to solve problems. So, by…