Hey there 
Just wrote a Twitter thread explaining how to secure a web app in 4 steps.
I’d love your feedback on it because it will help me write an article and record a video on the topic for the soon to be released Weweb blog and Weweb academy 
Is it helpful? Is anything unclear? Are you missing key information?
I think it’s really helpful and well done!
Awesome, clear, and informative thread.
I loved how you used screenshots and showed how the front-end, chrome developer tools, and the configuration in the no-code tools was all related.
My one recommended addition to your article is perhaps including a sentence or two about how to go about testing/auditing the security of your application after you’ve built it. For example, what type of person could you hire or service could you buy to run an audit/test on your system to check for these vulnerabilities?
Ooooh love that suggestion! Thank you, Wes 
I feel very useful and so clear!
Additionally, What is the best way to get user’s roles in frontend?
For example, I want to show a link to admin’s page only if the user is admin using supabase auth.
How can I easily get and check user’s roles?
Great question @IdeaGarage!
Assuming you’ve setup your Supabase like we did in this tutorial, you’ll be able to see a user’s role when they log in.
In the screenshot below, you see I have the “Customer” role:
You can then use that variable to check if the user has the “Admin” role or not. By binding the result to the display property, we hide the link to “Your fleet” page when the user doesn’t have that role:
But we display it when a user with the “Admin” role logs in:
Note that:
You still need to protect the “Your fleet” page by restricting its access to admins because the URL is still available in the current page’s source code
This formula is probably not the most elegant way of doing this because we’re counting on something to be undefined to make a decision but it works 
I’ll ask the devs on our team if they have a better solution!
Many thanks to you,Joyce! I really understood.
What about this code(no-code)?
toBool(lookup(“admin”,Supabase Auth - [‘user’][‘roles’],“name”))
By the way, Private access with user groups is only capable in Scale plan… I think these feature are quite basically in the test phase, so I should have created another workflow to check whether the user is Admin or not. (Already capped by access volume, so Starter plan should not to be restricted other points, for the developers and WeWeb growth, I assume)
We’re currently working on a new pricing plan. I’ll pass your suggestion along!
Awesome, very important subject and one that needs to be at the forefront of every low code project. Great post!
Agree on this topic as well!
@Joyce this thread was excellent.
Combined with Chris Coleman’s recent Xano tutorial about securing your APIs, I finally feel a sense of relief about applying security measures to my application.
Here is a link to his tutorial:
I think a very basic thing that most people might miss out: Don’t use your private keys for an API call in the frontend (Like Stripe, Airtable, Slack, etc).
Instead, call your backend, and use that to call the 3rd party service. Otherwise, your private keys become exposed
Chris is really rocking it lately
Awesome, thanks for sharing!
