-
Flutterflow + Xano + Firebase security
Hi everyone! Recently started a FlutterFlow project, I'm using Xano as the backend, and Firebase for auth and notifications. I'm storing the phone number used during login as an app state variable, which I then use as the identifier to get that user's data from Xano. This method works well, but I'm not sure about the…
-
Can anyone help? I need to execute a jar file to generate a digital signature. Willing to pay!
I need to execute a jar file to generate a digital signature. I have excellent documentation for the jar file signature process and subsequent APIs. I can likely handle everything after obtaining the digital signature (see below). My specific ask is for help obtaining the digital signature by executing the jar file in or…
-
Backups?
Hello, I think my Gmail account (which I use to connect to xano) was compromised and I'm a bit paranoid right now, changed the passwords and enabled the 2FA. I know that xano keeps a backup for 3 days or so, but on the dashboard, it says - Just wanted a bit more clarification, in case someone would be able to access my…
-
Change old user password
I have a post api to change user data, the password change function is now implemented as follows: Input "confirmOldPassword" should be equal to the old password, if this is true input "InputNewPassword" should replace the old password value. I don't know how to implement security for this logic, maybe it can be…
-
Forgot Password/Password Reset
I am using Wized 2 and Xano together. Everything was great until I got to the reset/forgot password functions. I have a client who does not want to use SendGrid at all. But I need a password reset for users who forget their password. I am shocked that Xano doesn't have this pre-built into auth... I can't seem to find any…
-
Handling Non-Printable Characters and Blacklisting in Database Field Validation
Hi Xano community, I have two questions around data field validation. Recently, we undertook a penetration test which suggested we enforce stricter field validation, mostly to prevent cross-site scripting attacks. While Xano's "filter" feature has been helpful (see the bottom of this page on Xano's documentation), we have…
-
Is there a plan to move record ids in the databases from ascending numeric to uuid?
Hi All, Was wondering from the perspective of security is there a roadmap to implement uuids? I don't mean as a function as I am aware that there is such a capability in Xano(https://docs.xano.com/working-with-data/functions/security#uuid), but rather as a default for the database. Any feedback will be much appreciated.
-
Firebase ID token verification
Hey everyone, I am currently trying to verify Firebase-generated ID token (my setup is: Firebase for auth, XANO as function & db backend). Thus, I'm in the process of writing a function to verify a Firebase auth token within Xano (to then auth within Xano and make authenticated API calls) - for this, I am following the…
-
What is best practice workflow to set up 1) update and 2) reset forgotten password in Xano+Bubble?
I am using Bubble for front end and migrating back end to Xano. I have workflows set up for new user sign-up, login and log-out using Xano's helpful video series. However I am struggling to find similar best practices for setting up a secure workflow for a user who wants to update their password within the web-app, or for…
-
What type of security can I use on my Endpoints?
Hello everyone, maybe this is a very extensive question and it can have several points of view, but I would like to limit the question to: How can I have a security "filter", so that somehow the origin of the request can be recognized and depending on this it can take X or Y variables. This in order that if a user would…
-
Environment Variables and Protecting Exposure to Limited Access Developers?
Hello All, did some searchign but not finding this specific use case: Is there a way to restrict access to environment variables so that a function can not expose them, but still be used in the API? If I rely on RBAC (Enterprise) to manage team members, they can still see envirnment variables which is a problem in our use…
-
Security - input sanitization (validation)
Hi, I'm building a process (API endpoint) which starts with a user input from a Webflow form. I am aware that it is good practive to sanitize such input on backend, but I'm wondering is that an issue with a solution like Xano? I will have some simple validation on the form (for example for basic email format check), but it…
-
Need help connecting APIs using Xano? Let's collaborate and streamline your integration process!
As a Xano user for almost a year, I'm excited to offer my assistance with API integration. While I have experience with the platform, I'm always eager to learn more and improve my skills. In fact, I believe that the best way to continue learning is through collaboration and working with others to solve problems. So, by…
-
Secure endpoint
I'm creating a website using xano, I found out that users can inspect the website and find the endpoint in my JavaScript files. Is there a way I can make the endpoint only run if it's being ran on a specific domain?
-
How to whitelist API requests from only specific Webflow website?
Hi, I'm trying to figure it out the solution how to secure my embeded POST functions on Webflow website. Right now, any user is able to see the full endpoint url and therefore can use it on their own. Is there a way to whitelist requests only from authorized webflow domain or perhaps there's a chance to secure/hide embeded…
-
Agency role: restrict access to developers
After transferring a workspace to a customer, I can see we have an Agency role in their team management. Based on this article, I understand that all our agency's members are now admin of this customer's environment. Is there any way to restrict access to a customer's environment on a per person basis, or maybe on a role…
-
Stripe Secure Webhook
Secure your data sent from Stripe to Xano via webhook, following Stripe's recommended approach for manual verification described here: If you are new to connecting Stripe to Xano, start with the Stripe Checkout template. Then, follow the instructions below to install this snippet. Here's how to get started: Snippet: Video…
-
Does Xano uses TLS 1.2?
Hi Xano team, I'm doing some security research for a client of mine that currently uses Xano, and they asked if data is transmitted using TLS 1.2. On Xano's docs, it seems pretty clear that data is transmitted over SSL. However, I've read that at times SSL and TLS are used interchangeably, so I wanted to reach out to…
-
JWE decrypt not working
Hi, I'm trying to follow this tutorial https://www.youtube.com/watch?v=ydOlrknsMnw , but the decrypting is no returning the payload. I've followed all the steps but is not working 😣 Any ideas? Thanks!
-
Secret Key Xano
Hello everyone, We plan to use Xano to manage our app data. However, to ensure maximum security for users, we would like to use the security functions as indicated here: https://docs.xano.com/working-with-data/functions/security Is it possible to save secret keys outside of Xano and/or outside of environment variables?…
-
encrypt certain fields in a record during record creation and decryot under authorized access
What do I need to encrypt certain fields in a record during record creation and decryot under authorized access Thx