open vortex
I am building an app for client. /admin and /api are exposed to public.
I am interested in the following:
spring jackalBOT
shut nova
You should definitely look up Access Control: https://payloadcms.com/docs/access-control/overview
If you set it properly, you won't have to worry about anyone reading, touching and modifying your data.
I'm not sure about the rate limiting, I believe it was part of v2, but now that it's all part of Nextjs, you could probably set it up with a middleware? I never did it, so anyone pls let me know if I'm wrong. A middleware could theoretically hide your api routes, you could also set a custom api route in the Payload config.
open vortex
Thanks for answer I will look into access-control, I've also stumbled across this article in the docs for anyone else looking: https://payloadcms.com/docs/production/preventing-abuse
As far as I can see, if there are too many failed attempts trying to get into account, the user's account gets locked for X amount of time which can be specified in config.
The collections also seem safe by default, resulting in GET requests from unauthenticated client to endpoints such as http://localhost:3000/api/pages being 403 forbidden.
shut nova
That's part of the access control that you can set for ever collection. A blank Payload project won't have a Pages collection, so you'd have to set it all yourself. You can check the templates, though, and see for yourself how it's set up.
open vortex
My conclusion is, by default payload data is safe from unauthenticated users. If you only need to store data, GET, POST, UPDATE, and DELETE it using client or admin interface you don't need any additional setup security wise.
If you want to have some public data/collections use access control.
For other security I see that setting up CSRF prevention is crucial.
