green hazel
Hey there, fellow Appwriters! I am developping a Flutter-web app with Appwrite to manage Auth, Database and Storage. I am quite new to web development so some of my questions might seem obvious.
I would like to secure my app against some well known security issues like XSS, CSRF, SQL/NoSQL injections. I am not well aware of what Flutter natively protects and what Appwrite natively protects.
-
XSS : I am using TextFields and TextFormFields for forms. Should I add some text sanitizing to prevent script injection? I have tried to put some script (<script>window.alert("hey!")</script>) in my fields but it was not executed by the browser. I have even created an entity in the app with that script as name. The special chars were not deleted but no script was executed either. The name was displayed in a Text widget and I think it prevents script to be executed from the server-client side.
-
CSRF : Users only access the app from the client side for authentication, database access (read/write) and file storage. Should I add custom tokens like JWT or is everything secured through Client sdk and permissions?
-
SQL/NoSQL injections : I may be wrong, but I think that Appwrite uses a collections/documents database system like NoSQL on top of some MariaDB. So data is stored like NoSQL as collections but with strong types for attributes. I am not very familiar with the concept of NoSQL injection, but I have seen it through researches. Are there some protections on the Appwrite side against NoSQL (or SQL) injections or should I set prepared statements before requesting the Appwrite database?
That's a lot I admit, but if anyone has answers it would be greatly appreciated!
digital valley
sage harness