I’ve always been using functions like query, update, insert, etc. in the page code (frontend). But recently someone has showed me that it’s possible toedit and resend requests using the browser dev tools. Since wix sends requests for the functions, one can send a modified request and basically grant access to the database.
I wasn’t aware of this and now the permission settings for databases makes sense to me.
I made this post to ask if it’s secure to run database functions in frontend or if I should move all my database related function calls to the backend. I haven’t found any document/article recommending this to be done in backend.
No, it is not that secure. There is an article about this: https://support.wix.com/en/article/velo-security-best-practices
Setting the right permissions helps, but there are other problems, like giving away too much info. See my https://www.wix.com/velo/forum/tips-tutorials-examples/giri-gives-a-fac-4-we-can-see-your-data-set