QikBuild Logo QikBuild
Back to Blog

Xano security checklist

·
QikBuild Team

Xano Security Best Practices

Xano is a powerful tool for building secure and scalable applications. However, security is a shared responsibility. While Xano provides the infrastructure, you must implement the right logic to protect your data.

Pro Tip: If you want to ensure your application is fully protected, we offer Xano security audits (which can be combined with WeWeb audits).

1. Authentication

API authentication ensures that only users with a valid "token" can access private data. This is the most fundamental security step, yet it is often overlooked during initial development.

  • Don't wait: Never be the "I’ll set it up later" developer. Secure your private endpoints from day one.
  • How to setup: Navigate to API -> Settings -> Authentication to configure your provider.

2. CORS Settings

CORS (Cross-Origin Resource Sharing) is a browser security feature. It prevents a website at one domain from making requests to a server at a different domain unless specifically permitted.

  • Why it matters: By controlling the allow-origin header, you ensure that only your specific front-end (e.g., myapp.com) can call your API.
  • Note: CORS only affects browser-based requests. It does not restrict server-side calls (like a Xano-to-Xano request).
  • How to setup: Go to your API Group -> More options -> CORS Management.

3. UUID vs. Integer ID

Using a UUID (Universally Unique Identifier) instead of a sequential Integer ID is a major security win.

  • The Security Benefit: Sequential IDs (1, 2, 3...) are predictable. An attacker can easily "scrape" your database by simply changing the ID in a URL. UUIDs are random and nearly impossible to guess.
  • Trade-offs:
  • Storage: UUIDs take 16 bytes; Integers take 4.
  • Performance: For massive tables (hundreds of millions of records), UUID indexes can be slightly slower.
  • Xano Storage: Larger indexes consume more of your "Database SSD Storage" quota.

4. Referencing User ID in API

When building "self-service" features (like a user updating their own profile), never use a user_id as an input parameter.

  • The Vulnerability: If your API accepts user_id as an input, a malicious user could change that number to someone else's ID and modify their data.
  • The Fix: Always use auth.id (the ID embedded in the secure authentication token) to identify the user making the request.

5. Back-end Password Strength

Don't rely solely on front-end validation for passwords. You can enforce complexity directly at the database level in Xano.

  • How to setup: Go to your user table -> right-click the password column -> set up the required filters (e.g., minimum length, special characters).

6. Consistent Error Messages

According to OWASP (Open Web Application Security Project) recommendations, your login and password reset flows should not reveal whether a specific email address exists in your system.

  • Bad Example: "Email not found" or "Incorrect password." (This confirms the email exists).
  • Good Example: "Invalid email or password."
  • Why: Generic messages prevent "user enumeration," where attackers test lists of emails to see who has an account on your platform.

7. Access to Swagger Documentation

Xano automatically generates Swagger documentation (an interactive map of your API). While helpful for developers, it shouldn't be public for production apps.

  • Configuration: You can restrict access to your Swagger documentation in the API Group Settings.

8. Role-Based Access Control (RBAC)

For apps with different user roles (e.g., Admin, Manager, User), checking permissions efficiently is key.

Strategies for Checking Permissions:

  1. Front-end Only (Worst): Never do this. Users can bypass front-end restrictions easily.
  2. Query Every Call: Fetching user roles from the DB on every single API call. This is secure but can slow down your app.
  3. Token Extras (Best for Performance): Encode the user's role or organization ID directly into the JWE Authentication Token using "Extras." You can access this data instantly without a database query.
  4. Cached Functions: Use a cached function to store and retrieve user permissions temporarily.

Want to learn more?

Book a call to discuss how we can help your project

Book a free call