Hello dear Forumers,
Is Database with No access table is safe from hacker’s attacks?
What if I will create Table with No access from Client code and will manage it through Server code?
Or better to have Encrypted column?
What do you think?
Setting data table form permissions to ‘no access’ is just one fundamental way to begin making Anvil apps more secure. The ‘Can search table’, and ‘Can search, edit, and delete’ permission options should only ever be used for convenience, in apps where access to a particular table represents no security threat whatsoever. With permissions set to those options, tables are exposed directly in client code, and that code can potentially be manipulated by end-users, which would provide hackers full access to all the data in those tables.
Moving all database query code to the server prevents access to that code, so that it can’t be manipulated directly by a client user. Client code is then limited to passing argument values to a server function - but you still need to be sure not to perform operations such as ‘eval’ which could allow users to enter executable code (using ast.literal_eval(), for example, can be helpful).
All this just prevents data tables from being directly accessible in client code.
Adding authorization to pages is another critical piece of the security puzzle, so that unauthorized users don’t have any access to client code, without valid credentials. Requiring complex passwords and maintaining good password management procedures, is also a fundamental requirement to building more secure apps.
Encrypting data at rest is required for compliance with HIPAA and other regulations. Encrypted columns are one way to help satisfy these requirements, but if you’re going to do that, it’s also required that encryption keys are stored securely and rotated, which means having a routine in place to update all encrypted values using a periodically changed new key (reading all previously encrypted values using the old key, and then re-saving them in place in the database using a new key). So using Anvil secrets together with cryptography.fernet, for example, is a viable way to store and implement encryption keys when reading and writing data to anvil data tables, but the process to keep keys rotated can be complex.
Encryption in transit is also a requirement for most sorts of security compliance. If you’re using anvil-app-server, terminating HTTPS is essential. Anvil-app-server makes it really easy to do that with the built-in Traefik/lets-encrypt integration (only on Linux, running anvil-app-server on Windows requires manual configuration of HTTPS termination using third party tools (nginx, caddy, etc.)).
If you’re using anvil-app-server, you’ll also need to perform penetration testing, monitor and manage your server environment to prevent attacks - for example, if SHH access is provided to a person with malicious intent, or even if over-the-shoulder views of data are exposed, that can break all other security efforts…
Audit logs of access to any data is also required for most compliance requirements: user, values viewed/saved, timestamp, type of action (create, update, delete, etc.), source of action (IP address, device identifier, etc.), reason for the action, previous values. etc. I also log the names of functions that have been called, and all parameters sent to that function, any time any action is performed by a user, which requires logging.
So, ‘no access’ permissions don’t mean that data is secure from hacker attacks, but it’s an absolutely minimal requirement to begin hardening security.
3 Likes
Here are some quick thoughts about practices I consider:
For quick 1-off in-house apps for little tools like to-do lists, supply ordering lists, etc., the ‘Can search, edit, and delete’ permission, together with write-back bindings, are a great way to build CRUD functionality in a few minutes. For apps like that, which don’t store any sensitive information, and which users need quick access to, often without authorization, the ‘Can search, edit, and delete’ permission and write-binding is perfect. As an aside, in apps like this, I’ll often send CSV backups of tables to a Google drive account or some other file storage location, not for any security purpose, but just to ensure if data values are ever unintentionally erased, they can be recovered.
I also find it really productive to quickly build admin interfaces in which one app accesses the same data tables as a primary user app. The primary user app may apply all sorts controls over data access, so that data input is validated properly, access to tables is limited, etc. The admin app can make use of ‘Can search, edit, and delete’ permissions to quickly build a grid interface to all the columns and rows in a data table. The existence of the admin app may be completely hidden to most users, and require authorization to access. This sort of admin app can be built really quickly to provide managers full access to all the columns of a data table, in a single UI datagrid or repeating panel, for example. That’s a nice way to skip past tons work, in environments where security is not critical, but where you just want to control the way users interact with data, and provide an alternative quick interface to freely edit all the info an a database, only for certain users. In this sort of environment, where every user is trusted, the ‘Can search, edit, and delete’ permission may also be set in the user app.
For apps that require any sort of access by users who aren’t fully trusted, authorization and ‘no access’ permission is required. Other measures such as long URL names for apps hosted at anvil.works, and in-house hosting of apps running on anvil-app-server, can be helpful additional safeguards. I’ve also implemented some other little custom solutions such as ensuring client users are logging in from given IP addresses.
For anything requiring security compliance, full hard drive encryption, data table column encryption, rotated keys, HTTPS, password management enforcement, an IT team monitoring servers, best practices for access to every piece of the app environment, are all required.
To eliminate some of the troubles related to managing encryption and rotating keys, for situations in which that’s required, you may want to consider connecting to database solutions that provide automated encryption (MSSQL, Firestore, etc.).
2 Likes
If you’re involved with compliance requirements or serious security concerns of any sort, please don’t trust what I say here as anything more than friendly suggestions, all delivered without any understanding of your specific situation. Hire a consultant, a lawyer, someone with professional experience performing compliance review, an insurance agent, etc.
2 Likes
An important part of this is rechecking all authorizations in the server function itself. Don’t assume that because the user was able to call the server function that they’re allowed to perform the operation. Recheck everything in the server function before you perform any operations.
3 Likes
Grazie mille Nick for your very comprehensive answer !
It is really helpful not only for me - I believe to all Anvil developers
Thank you very much Jay !
Why I start this topic in forum because Data encryption getting running application very slow - approx two times slower.
That why I trying to find solution to build secure application which store sensitive financial informations of users and running fast and smooth without runtime errors