Front-end Security in WeWeb

Hey community, I’ve been exploring front-end security in web development tools and recently learned about security features in Glide. I’m curious to know more about how WeWeb addresses front-end security and if there are comparable functionalities.

I’d greatly appreciate your guidance if you have insights, best practices, or resources regarding front-end security with WeWeb! My goal is to enhance the security of my app developed on WeWeb without relying on as many external services.

Thanks, everyone!

How do you mean?

Anything secure should only be passed to your front end after authorizing users such that they only see the data they should.

Additionally serving your site over https is a must

Hi @jaredgibb,
Ceilidh’s on my team. We use AuthO for login and currently share some low-sensitive content, but I would like to start sharing more. Airtable’s GDPR and Soc 2 security is fine and I would prefer to keep this as my database but I see folks recommending Xano on here if sharing sensitive data on weweb. I see front-end tools like Sofr note that they are secure document portals that work with Airtable. I see Glide mentions that there are visibility conditions vs row owner restrictions and best practices around that. I’m just wondering if weweb is different than those tools when it comes to security. Thanks!

Hey @Carissa!

So: you can continue to use auth0 on weweb. The issue folks have with airtable is that there is no row level security for airtable. While you can filter, you cant really set auth restrictions without using a middle man to proxy all the calls and manage the filtering of potentially secure data.

It’s likely that Softr acts as the proxy between your app and the airtable dB. What do i mean by man in the middle?

Airtable gives you an api key. You can then use that to access your base and tables. BUT you can’t tell airtable to strictly only give john rows that he should be able to see. SO, if you throw that key into a front end builder without a middle man, you would be forced to do filtering in the api call itself which would result in the ability to essentially spoof the airtable backend by sending inappropriate request by unruly actors on your platform or anyone else watching network traffic. SO

the man in the middle can be a server set up in the cloud somewhere. that’s where you’d store your key and thus be able to keep it from being exposed to anyone. the app callsthe man in the middle. the man in the middle calls airtable. then passes the data back. so, no direct db access.

i really like using supabse and it’s row level security. no man in the middle required at all BUT you dont get the same nice ‘slice/dice/display’ of data features that you do with airtable. they’re simply 2 different tools.

SO. to be really blunt. weweb has nothing to do with security, though you can build your app in a way to be more secure. you really will lock down your app by making the back end more secure and the reality is that weweb is a frontend only tool.