Security with appery backend

Wed Jan 01, 2014 8:29 pm

My app allows users to create an account with an username and a password. I understand that the login process creates a Session token which determines the users access to the database.

I am trying to evaluate security with appery backend and have a few questions. They may appear naive, but please bare with me.

1) If someone got access to '_id' for a user in Users data, would it compromise security ?

2) Is the process of creating a user account as described in your docs, the safest way to creating a user account or it there a better way ?

3) How to transfer data between the server and the client securely ?

4) How to setup security such that all users have read access to a collection, but the records in the collection can be updated only by administrative security (say via a server side script run occasionally. )

Thanks

Wed Jan 01, 2014 11:03 pm

1) Just the _id is not sufficient. You also need to have access to the session id

2) Yes. You can create a user via API or directly in the console.

3) Appery.io supports https

4) Change the database to read only:

Thu Jan 02, 2014 3:24 am

Thank you for the response.

On question 3), Can you show me how?

On question 4), Not sure if I understand completely. Are you suggesting that by changing the database to ready only, only server scripts have write access to the databases.

Thu Jan 02, 2014 8:38 am

3) It's automatically. All DB requests use https.
4) Yes. You can use X-Appery-Master-Key from server code to update read-only collection.

Thu Jan 02, 2014 3:34 pm

3) Awesome

4) Thank you makes sense.