Forum | Appery.io

My app allows users to create an account with an username and a password. I understand that the login process creates a Session token which determines the users access to the database.

I am trying to evaluate security with appery backend and have a few questions. They may appear naive, but please bare with me.

1) If someone got access to '_id' for a user in Users data, would it compromise security ?

2) Is the process of creating a user account as described in your docs, the safest way to creating a user account or it there a better way ?

3) How to transfer data between the server and the client securely ?

4) How to setup security such that all users have read access to a collection, but the records in the collection can be updated only by administrative security (say via a server side script run occasionally. )

Thanks

1) Just the _id is not sufficient. You also need to have access to the session id

2) Yes. You can create a user via API or directly in the console.

3) Appery.io supports https

4) Change the database to read only:

Thank you for the response.

On question 3), Can you show me how?

On question 4), Not sure if I understand completely. Are you suggesting that by changing the database to ready only, only server scripts have write access to the databases.

3) It's automatically. All DB requests use https.
4) Yes. You can use X-Appery-Master-Key from server code to update read-only collection.

3) Awesome

4) Thank you makes sense.