When I run my published app, I can use the browser’s “View Page Source” option and see the code (that’s form-based) for all of my application, which makes me wonder about the overall security of my app. Should I have minimized the amount of code in my forms and placed as much code as possible in a server module? I don’t recall reading anything in Anvil’s documentation as this approach being a best practice.
You can only see the form based code (the stuff that runs in your browser), which would be the same if you wrote your app in vanilla JS or any other browser based framework. Your server side code is safe so long as it only returns info the user can safely view (for example don’t return the whole Users object that might contain sensitive data).
@meredydd and others have said on here before that you should put nothing in the client side that you don’t want the world to see. Absolutely anything that is confidential (passwords, external database credentials, etc.) should be server side.
I make a point of only putting the bare minimum required for displaying data on the client.
As @david.wylie says, best practice is to keep any sensitive data or permissions-dependent behaviour on the server side. Client-side code is running in the user’s web browser, which is ultimately under their control.
The Security Model section of the reference docs may be helpful. In particular:
Once the app is loaded, forms and modules (“client code”) execute in the user’s web browser. Because the user has full control over their own web browser, a malicious user can edit form and module code to do whatever they want. We call this untrusted code : we can’t trust that Forms and modules will do what we tell them, and we must write our app knowing that any user (with the Share link) can edit the client code to do whatever they like. Server modules, by contrast, cannot be edited by the user, so we can trust them to do what we tell them.
(Having Python on both server and client should hopefully make it easy for you to move functions from client-side to server-side!)
1 Like
Ok, thanks guys. In reviewing my code, I’ll need to move some stuff over to my server module.
Shaun, can you clarify your statement:
Are you implying that a published app can NOT have its client code edited?
Any code that runs in the browser (ie Form code) is entirely under the user’s control. They can edit it to do whatever they like!
(The part about the sharing link is about private Anvil apps, with the long inscrutable URLs. For an app like that, if you don’t have the link, you can’t do anything - you can’t load its code, you can’t call its server functions, you can’t access its data tables even if they’re client-writable. The idea is to make it easier to build simple apps where every user is trusted – like those Google Docs sharing URLs where anyone with the link can edit the document. This definitely does not describe your app – your app is accessible to the public, so you have to make sure not to trust Form code!)
Thanks again Meredyyd. The reason I’m asking these questions is, even though I’ve been using Anvil for over 2 years now, I’m required at work this week to go through some long web security online training and it’s gotten me thinking about security in Anvil.
1 Like