The security scan checks your entire app and shows you a clear list of any issues it finds. For each one, it explains what the problem is and gives you a recommended fix you can apply with a single click.Documentation Index
Fetch the complete documentation index at: https://docs.base44.com/llms.txt
Use this file to discover all available pages before exploring further.
The security scan, including Fix All, is available on all plans, including the free plan.
Running a scan
To run a security scan:- Click Dashboard in your app editor.
- Click Security.
- Click Run Security Scan.
- Review the issues listed under Issues details.
- Click Fix All to apply all recommended fixes at once, or expand an individual issue to fix it separately.
Understanding the scan results
The scan checks for five types of issues.Data permission gaps
These appear when a data table is missing permission rules, or when people have more access than they should. Each issue shows the affected table, a description of the problem, and a table of recommended rules. Click Fix All to apply the recommendations, or click into the table to customize permissions manually.Exposed credentials
These appear when API keys, passwords, or tokens are found somewhere app visitors could access them. Anyone who finds these credentials could use them to access your external services or data. To fix an exposed credential, remove it from the affected area and store it securely. Paste the issue into the AI chat in Discuss mode for step-by-step instructions.Login verification gaps
These appear when a part of your app that runs behind the scenes gives out data without checking who the person is first. For example, returning someone’s account details without confirming they are signed in. Paste the issue into the AI chat in Discuss mode and it will walk you through the fix.Package vulnerabilities
These appear when a third-party library or tool your app uses has a known security issue. Each issue includes a severity level (Critical, High, Medium, or Low) and the recommended version to upgrade to.Security headers
These appear when your app is missing browser-level protections that the scan recommends based on your app’s risk profile. For example, if your app has login or payments, it flags missing headers as high severity. Each issue shows the severity level and a Fix button that enables the header immediately. There are two headers the scan checks for:- Prevent Embedding (X-Frame-Options): Stops your app from being displayed inside an iframe on another site. This protects against clickjacking attacks, where someone tricks a user into clicking something on your app without realising it.
- Restrict Browser Features (Permissions-Policy): Limits which browser features your app can access, such as the camera, microphone, and location. Restricting these reduces your app’s attack surface if it does not need them.
- Click Dashboard in your app editor.
- Click Security.
- Click the Settings icon at the top right.
- Under Security Headers, toggle on Prevent Embedding, Restrict Browser Features, or both.
FAQs
How often should I run the security scan?
How often should I run the security scan?
Run the scan before you publish your app for the first time, and again any time you make significant changes, such as adding new data tables, updating permissions, or connecting new integrations. The Security tab shows an out-of-date warning when your scan results are no longer current, so you know when to run it again.
How do I securely connect to third-party APIs?
How do I securely connect to third-party APIs?
Handle all requests to third-party services in backend functions and store API keys using secrets management. This keeps credentials out of places your app’s visitors could find them.
Are my data tables encrypted?
Are my data tables encrypted?
All data tables and private apps are encrypted. However, data is not end-to-end encrypted, which means Base44 admins can access your data if needed.