Does Appsmith store my data?
Appsmith does not store any data returned from your API endpoints or DB queries. Appsmith only acts as a proxy layer. When you query your database/API endpoint, the Appsmith server only appends sensitive credentials before forwarding the request to your backend. It doesn’t expose sensitive credentials to the browser as it can lead to security breaches. The routing ensures the security of your systems and data.
Security measures within Appsmith
Appsmith applications are secure-by-default. The security measures implemented for Appsmith installations are:
- All sensitive credentials, such as database credentials, are encrypted with AES-256 encryption. Each self-hosted Appsmith instance ensures data-at-rest security by configuring unique salt and password values.
- On Appsmith Cloud, all connections are TLS encrypted. For self-hosted instances, we offer the capability to set up SSL certificates via LetsEncrypt during installation.
- Appsmith Cloud will only connect to your databases/API endpoints through whitelisted IPs: 22.214.171.124 & 126.96.36.199, ensuring that you only expose database access to specific IPs when using our cloud offering.
- Appsmith Cloud is hosted in AWS data centers on SOC 1 and SOC 2 compliant servers. We also maintain data redundancy on our cloud instances via regular backups.
- Internal access to Appsmith Cloud is controlled through a Two-Factor Authentication System and audit logs.
The above reference to the audit logs pertains only to the cloud-hosted instance of Appsmith and does not refer to the audit logs feature.
Securely Executing Queries & APIs
Appsmith's backend system doesn't store any data when responding to API calls or executing any queries. The security measures implemented for Appsmith Executing Queries & APIs are:
- The Appsmith's backend system doesn't store any information about query responses or user inputs. Appsmith only acts as a proxy and never logs or stores the private/confidential data in Appsmith's data stores.
- To protect the application so that users cannot infer the executed query - Appsmith stores the query configuration and ensures that the SQL query body or custom API URLs are never exposed to the client in
- To avoid SQL injections, all SQL queries have prepared statements enabled by default.
The code is stored in the MongoDB database that Appsmith uses to store all other application configurations. To ensure that all data is secure, please read the following carefully:
You can add secrets to APIs or datasource configurations as they are not exposed in the view mode. You can update the secrets in edit mode but cannot view the existing secrets while viewing or editing the configurations.
clearInterval()available on Appsmith.
- Appsmith does not allow some actions like
- You should not store sensitive information using a
storeValuefunction because the data is stored in the browser's local storage and can be read.
Sandboxing Iframe widgets
The Iframe widget on older versions of Appsmith is vulnerable to XSS attacks. This was fixed in v1.8.6 of Appsmith. For this fix to be applied on your Appsmith instance, ensure you have the following environment variable set in your
This is automatically set for any Appsmith instance created after the release of v1.8.6.
The fix works by setting a
sandbox attribute on iframe widgets. This reduces what the widget is capable of, by a little bit, and shouldn't impact most real-world uses of this widget.
We maintain an open communication channel with security researchers to report security vulnerabilities responsibly. If you notice a security vulnerability, please email email@example.com, and we'll resolve it ASAP.