Appsmith
GithubDiscordAppsmith CloudCommunity Forum
Search…
v1.3
Introduction
Setup Appsmith
Tutorials
Sample Apps
Templates
How To Guides
Debugging Errors
FAQs
Telemetry
Security
Core Concepts
Connecting to Data Sources
Displaying Data (Read)
Capturing Data (Write)
Writing Code
Designing an Application
Building Dynamic UI
Access Control
Version Control with Git
JSON Web Tokens (JWT)
Datasource Reference
Amazon / Generic S3
ArangoDB
DynamoDB
Elasticsearch
Firestore
Google Sheets
MongoDB
MS SQL
MySQL
PostgreSQL
Redis
Redshift
Snowflake
SMTP
Framework Reference
Appsmith Context Object
Query
Show Modal
Close Modal
Download
Intervals (Time events)
Show Alert
Navigate To
Store Value
Copy To Clipboard
Reset Widget
JavaScript Editor (Beta)
Widget Reference
Audio
Audio Recorder
Button
Button Group
Camera
Chart
Checkbox
Checkbox Group
Container
Currency Input
Datepicker
Divider
Document Viewer
Form
Filepicker
Icon Button
Iframe
Image
Input
JSON Form
List
Maps
Map Chart
Menu Button
Modal
Multi-select
Multi-tree-select
Phone Input
Progress
Radio Group
Rating
Rich Text Editor
Select
Stat Box
Switch
Switch Group
Tabs
Table
Text
Tree-select
Video
Powered By GitBook
Security

Does Appsmith store my data?

No, Appsmith does not store any data returned from your API endpoints or DB queries. Appsmith only acts as a proxy layer. When you query your database/API endpoint, the Appsmith server only appends sensitive credentials before forwarding the request to your backend. The Appsmith server doesn't expose sensitive credentials to the browser because that can lead to security breaches. Such a routing ensures the security of your systems and data.

Security measures within Appsmith

Appsmith applications are secure-by-default. The security measures implemented for Appsmith installations are:
  • On Appsmith Cloud, all connections are TLS encrypted. For self-hosted instances, we offer the capability to setup SSL certificates via LetsEncrypt during the installation process.
  • All sensitive credentials, such as database credentials, are encrypted with AES-256 encryption. Each self-hosted Appsmith instance configures unique salt and password values ensuring data-at-rest security.
  • Appsmith Cloud will only connect to your databases/API endpoints through whitelisted IPs: 18.223.74.85 & 3.131.104.27, ensuring that you only expose database access to specific IPs when using our cloud offering.
  • Appsmith Cloud is hosted in AWS data centers on SOC 1 and SOC 2 compliant servers. We also maintain data redundancy on our cloud instances via regular backups.
  • Internal access to Appsmith Cloud is controlled through a 2-factor authentication system and audit logs.
The audit logs here are about Appsmith's cloud-hosted instance only and should not be confused with the audit logs feature.

Securely Executing Queries

The Appsmith's backend system doesn't store any information related to the inputs made by users using an app or the responses of the queries. It acts as a pure proxy system. It ensures that any private/confidential data is never logged or stored in Appsmith's data stores. Appsmith stores the configuration of the queries so that the SQL query body or custom API URLs are never exposed to the client in "view" mode. Thus protecting the application as viewers cannot deduce the executed query.
All SQL queries are also created with prepared statements switched on by default to prevent SQL injection from the client.

Securely Executing JavaScript

All JS written within Appsmith is executed on the client only. We don't execute any code on the server. Like all JS codes on the browser, the user can inspect the site and view the code. Hence, please code accordingly.
The code is stored in the MongoDB database that Appsmith uses to store all other application configurations. To ensure that all data is secure, please read the following carefully:
  1. 1.
    No API keys or sensitive keys are printed in plain text in the JS Code because the JS code is not stored in an encrypted format.
  2. 2.
    When you connect an application to Git, the JS Code will be stored as a JS file in the repository. Hence, the security measures you take with your standard JS code should be taken with the Appsmith's JS code.
We maintain an open communication channel with security researchers to report security vulnerabilities responsibly. If you notice a security vulnerability, please email [email protected], and we'll resolve them ASAP.
Previous
Telemetry
Next - Core Concepts
Connecting to Data Sources
Last modified 1mo ago
Copy link
Edit on GitHub
Contents
Does Appsmith store my data?
Security measures within Appsmith
Securely Executing Queries
Securely Executing JavaScript