🔐 Security

Ask your Security and Compliance questions here

How Do I Intercept OPTIONS Preflight for CORS?
When a preflight request is made to OPTIONS, I see no way of intercepting that request. I want to be able to set my own headers for CORS purposes. For example, requests that have credentials can't use Xano's default Access-Control-Allow-Origin: *. If I can't set the Access-Control-Allow-Origin to a specific origin, then my…
How do I reset the passwords
Hey Xanoers I am using bubble and Xano together. Everything was great until I got the reset/forgot password. I need a password reset for users who forget their password I am cant believe that Xano doesn't have this pre-built into auth... I can't seem to find any videos online either? Has anyone set up a Forgot Password…
Authentication and authtoken
Hello, I would like to add a login to my application so that I can display personalized information depending on who is logging in. Context: I'm trying to create an application with Bravo for the front end and my back end is made from Xano, and I'm using their free versions. I know that with their paid versions it's…
Extract Auth ID from an input parameter
I have a public endpoint that needs to return some initial data, however, if the User is Auth'd (required to make make the booking) it needs to return the initial data with the additional data from the booking specific to the Auth ID. I would like to pass the Auth token via an input and extract the Auth details within a…
LinkedIn OAuth Issues
Hi, I am having issues with the LinkedIn OAuth and was wondering if anyone else is experiencing the same issues, or knows how to fix it? The following might be related to the issue I'm having, but it might not. Skip to the *** symbols if you just want to read the issue. PSA: I think the Marketplace plugin might be…
Azure SSO
I recently tried to authenticate through SSO and noticed that unfortunately Xano does not have direct integration with Azure AD, where can I find tutorial or documentation for integration between Xano and SSO in Azure?
Access Control Allow Headers
I'm calling my API endpoints from my React web app, and Firefox is giving me this warning: Cross-Origin Request Warning: The Same Origin Policy will disallow reading the remote resource at [Xano Endpoint URL] soon. (Reason: When the Access-Control-Allow-Headers is *, the Authorization header is not covered. To include the…
Paywall best practices
Hi I am trying to implement complex paywall logic for my website content, and wanted to see if anyone had tips for best practices. I don't think I could use standard authentication on API calls, because I want to allow non authenticated users to also have access to a specific amount of content per month. The paywall will…
How to make app HIPAA compliant?
Hey all, I’m wondering if anyone has experience getting their app HIPAA compliant. I’m guessing there’s a lot more to do than simply upgrade the Xano plan, but I haven’t found a clear roadmap on what to do next. Has anyone done this? Or know generally what the process is like? Some specific questions: is there an audit to…
Simultaneous multiple authentication sources for API
When requiring authentication for API endpoints, I saw you could set up and select any table, however, you can only choose one option. I have both a User and a Employee table. Some of my endpoints will be used for both my user and enterprise websites, so I want a way to have multiple simultaneous authentication sources.…
Remembering users for 30 days
What's the best way to implement remembering a user for 30 days when they check the box 'Remember me for 30 days' upon login? Is it as simple as updating the authorization token's expiration to 30 days in the login endpoint? Anything else to consider? Jack
Backups?
Hello, I think my Gmail account (which I use to connect to xano) was compromised and I'm a bit paranoid right now, changed the passwords and enabled the 2FA. I know that xano keeps a backup for 3 days or so, but on the dashboard, it says - Just wanted a bit more clarification, in case someone would be able to access my…
Change old user password
I have a post api to change user data, the password change function is now implemented as follows: Input "confirmOldPassword" should be equal to the old password, if this is true input "InputNewPassword" should replace the old password value. I don't know how to implement security for this logic, maybe it can be…
Forgot Password/Password Reset
I am using Wized 2 and Xano together. Everything was great until I got to the reset/forgot password functions. I have a client who does not want to use SendGrid at all. But I need a password reset for users who forget their password. I am shocked that Xano doesn't have this pre-built into auth... I can't seem to find any…
Handling Non-Printable Characters and Blacklisting in Database Field Validation
Hi Xano community, I have two questions around data field validation. Recently, we undertook a penetration test which suggested we enforce stricter field validation, mostly to prevent cross-site scripting attacks. While Xano's "filter" feature has been helpful (see the bottom of this page on Xano's documentation), we have…
Revoke authenification
We have been very impressed by the Xano system and community. We're running into a small question we can't seem to find the best answer for. Our proof of concept uses the authentication token to validate interactions between frontend (postman for now) and the backend. All is great and happy. Now we're running into the…
Hi, How to implement xano api security. What is steps to generate api key and implementation on api.
Is there a plan to move record ids in the databases from ascending numeric to uuid?
Hi All, Was wondering from the perspective of security is there a roadmap to implement uuids? I don't mean as a function as I am aware that there is such a capability in Xano(https://docs.xano.com/working-with-data/functions/security#uuid), but rather as a default for the database. Any feedback will be much appreciated.
What is best practice workflow to set up 1) update and 2) reset forgotten password in Xano+Bubble?
I am using Bubble for front end and migrating back end to Xano. I have workflows set up for new user sign-up, login and log-out using Xano's helpful video series. However I am struggling to find similar best practices for setting up a secure workflow for a user who wants to update their password within the web-app, or for…
Having trouble Decrypting a JWE Token
Hello, I cant figure what I'm doing wrong to decrypt a jwe token… I was able to encrypt no problem, here is my encryption… and the returned variable …. but now here is the problem with decrypt, here is my set up… BUT EVERYTIME IS RETURNS AN EMPTY ARRAY Am I missing something?? any help is greatly appreciated!
Exporting/streaming endpoint logs
Hi, I understand that currently, logs are limited to 24h or so in the platform. While this might be sufficient for testing and pre-prod environments, it's quite an important hole for production environments. My question to the Xano team and the community: if you export/stream logs somwhere else, how do you manage that?…
Environment Variables and Protecting Exposure to Limited Access Developers?
Hello All, did some searchign but not finding this specific use case: Is there a way to restrict access to environment variables so that a function can not expose them, but still be used in the API? If I rely on RBAC (Enterprise) to manage team members, they can still see envirnment variables which is a problem in our use…
Security - input sanitization (validation)
Hi, I'm building a process (API endpoint) which starts with a user input from a Webflow form. I am aware that it is good practive to sanitize such input on backend, but I'm wondering is that an issue with a solution like Xano? I will have some simple validation on the form (for example for basic email format check), but it…
Secure endpoint
I'm creating a website using xano, I found out that users can inspect the website and find the endpoint in my JavaScript files. Is there a way I can make the endpoint only run if it's being ran on a specific domain?
Re the video "Securing your Xano APIs"
@Chris Coleman Thanks for that very helpful video. My app will be public facing and I assume the worst at all times. My question is: In Xano, is there a way to block traffic from specific countries?
Forgot/Reset Password not using SendGrid
Since Xano is an auth platform it shocks me that there isn't an easier way to set up password reset stuff... I cannot use SendGrid cause the client refuses to use it, and pay for it. They prefer MailChimp and told me to find a different solution. With that said, I am using Wized 2, and I'm trying to set up a password reset…
Does Xano uses TLS 1.2?
Hi Xano team, I'm doing some security research for a client of mine that currently uses Xano, and they asked if data is transmitted using TLS 1.2. On Xano's docs, it seems pretty clear that data is transmitted over SSL. However, I've read that at times SSL and TLS are used interchangeably, so I wanted to reach out to…
Moving to firebase
Hi Guys, Got to say that i love XANO however i am moving my app from Bravo to Flutterflow, and sadly that requires me to move my user table (for auth purposes) to Firebase. My question though is how would i go about exporting my users table? Especially users passwords are an issue, as i obviously wont be able to get them…
Decoding a user access token generated by Firebase
Hello all, I'm using Firebase for user management and Xano for all other backend functionality. I am failing to decode a Firebase access token in Xano. created function Security -> JWS Decode set the token to a valid token generated by Firebase set the key to be an object with path and value found via Firebase…
Secret Key Xano
Hello everyone, We plan to use Xano to manage our app data. However, to ensure maximum security for users, we would like to use the security functions as indicated here: https://docs.xano.com/working-with-data/functions/security Is it possible to save secret keys outside of Xano and/or outside of environment variables?…

🔐 Security

Categories

Popular Tags

🔐 Security

Discussion List

Categories

Popular Tags