Backend processing for site security.

onemoretime · October 11, 2022, 8:27am

Hi, wixers.

After all, should all operations involving collection access be done in the backend for security reasons?

amandam · October 11, 2022, 3:43pm

There are 2 ways you can address security with your collections. One is by setting the collection permissions to the most restrictive possible for your requirements and secondly yes, you can create any functions to manipulate data in your backend files. Keep in mind that is you are importing backend files to the page code to be called from the page, that you should also set the permissions of the functions in your modules based on who should be allowed to call the function.

See these articles for more information:
https://support.wix.com/en/article/velo-about-web-module-permissions
https://support.wix.com/en/article/collection-permissions-an-overview

onemoretime · October 11, 2022, 4:18pm

Thank you for your reply, Amanda.
I think I already know most of things about backend processing merit and importance of collection’s permissions settings.

But if so, does that mean the benefit of accessing to collection from the public side is … zero? Does it mean that everything is inferior to processing on the backend side and returning only the processed results data to public side?

import wixData from 'wix-data';

wixData.query("myCollection")
  .find() // get all data in this collection.
  .then((results) => {
    if(results.items.length > 0) {
      let items = results.items;
      //↑ this items array contains lots of   
      //and various information.
      //Could this data be illegally
      //obtained by a malicious viewer?  
    }
  })
  .catch((err) => {
    console.log(err);
  });

amandam · October 11, 2022, 4:38pm

Personally I do not put data operations in front end code, but if you are saying that there is no danger at all for someone to access your query from the front end , (non-confidential, permissions set appropriately) than you can hook it up this way.

It is also important to think about scale. Processing large amounts of data on the client side may not be ideal for your application.

This is really a question of considering your requirements now and in the future and architecting your approach based on that.

Something you may want to check out is a session hosted by one of our server developers about Wix data best practices

amandam · October 11, 2022, 4:40pm

Your code snippet didn’t load prior to my last reply. Yes, if that code is on the page (client side), anyone can see what is in that array.

onemoretime · October 11, 2022, 4:54pm

Thank you very much Amanda.

From now on personally I’ll do like you.

I’ll double check my codes that all collection related functions are done on the backend side. Also, thank you for sharing such a useful video!!

Topic		Replies	Views
wixData.query is only working on front end, not on backend Ask the community code , question	1	586	November 24, 2017
Is it secure to run database functions in frontend? Ask the community	2	309	July 5, 2021
Limit collection access to be only from backend Ask the community code , question	2	258	October 9, 2017
HTTP-functions security Ask the community code , wix-stores , question	12	1797	April 26, 2018
Assistance Required with Secure Backend Access to User Collection Ask the community wix-studio , code , wix-stores , question	2	64	April 23, 2024

Backend processing for site security.

Related topics