Get started
We are having lots of fun on Discord. Come and join us!
Star on GitHub 45.1K Get started
Back

Securing a Flutter-web app with Appwrite

  • 0
  • Flutter
View on Discord
LaurentLP
27 Feb, 2024, 09:21

Hey there, fellow Appwriters! I am developping a Flutter-web app with Appwrite to manage Auth, Database and Storage. I am quite new to web development so some of my questions might seem obvious.

I would like to secure my app against some well known security issues like XSS, CSRF, SQL/NoSQL injections. I am not well aware of what Flutter natively protects and what Appwrite natively protects.

  • XSS : I am using TextFields and TextFormFields for forms. Should I add some text sanitizing to prevent script injection? I have tried to put some script (<script>window.alert("hey!")</script>) in my fields but it was not executed by the browser. I have even created an entity in the app with that script as name. The special chars were not deleted but no script was executed either. The name was displayed in a Text widget and I think it prevents script to be executed from the server-client side.
  • CSRF : Users only access the app from the client side for authentication, database access (read/write) and file storage. Should I add custom tokens like JWT or is everything secured through Client sdk and permissions?
  • SQL/NoSQL injections : I may be wrong, but I think that Appwrite uses a collections/documents database system like NoSQL on top of some MariaDB. So data is stored like NoSQL as collections but with strong types for attributes. I am not very familiar with the concept of NoSQL injection, but I have seen it through researches. Are there some protections on the Appwrite side against NoSQL (or SQL) injections or should I set prepared statements before requesting the Appwrite database?

That's a lot I admit, but if anyone has answers it would be greatly appreciated!

TL;DR
Developing a Flutter-web app using Appwrite for Auth, Database, and Storage. - XSS: No need to sanitize text as Flutter seems to handle script injections. - CSRF: Appwrite uses cookies for authentication, seems secure. - SQL/NoSQL injections: Appwrite handles DB with prepared statements, no need to worry unless writing backend. Recommended article for further insights: https://dev.to/carminezacc/securely-storing-jwts-in-flutter-web-apps-2nal
Ernest
27 Feb, 2024, 09:51

I'm neither an expert on Flutter Web nor security but you probably needn't worry about any of these issues.

SQL injections: Appwrite handles all DB stuffs and I'm pretty sure they use prepared statements. Also, you have no way of creating prepared statements in your Flutter app. You only need to worry about this if you're writing the backend yourself.

Check out this article may help clarify a few things. https://dev.to/carminezacc/securely-storing-jwts-in-flutter-web-apps-2nal

PS: Appwrite uses cookies for authentication on the web

Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more