Manage your app's Security settings in Settings > General > Security
This article contains the following sections:
- Script Attack Protection
- Script Attack Protection Allowlist
- Script Attack Protection: Protected Areas
- IP Restrictions
- Restrict API Responses
- Secure Browser
Script Attack Protection
This setting prevents the storage and execution of specific custom code, that is not allowed, in record values and views on record creation or update. This helps keep your apps secure and prevents input-based hacks.
Notes: New apps have this setting enabled by default. Rich Text views continue to allow scripts when this setting is enabled.
Script Attack Protection Allowlist
When enabled, code that is not on our Script Attack Protection Allowlist will be prevented from saving in field values. Other values submitted will be saved as normal.
When form submission occurs, there will be no notification regarding the sanitization process in either the Live App or Builder; the affected values will simply not be saved.
Examples:
-
<script src="google.com">Hello world!</script>
Saves as having no value.
-
Why? The <script></script> tag is code that is not on our allowlist.
-
-
<b onclick="alert('hello')">Hello world!</b>Saves as <b>Hello world!</b>
-
Why? The "onclick" portion is code that is not on our allowlist.
-
-
<b>Hello world!</b>
Saves as <b>Hello world!</b>-
Why? This HTML code is allowed.
-
Script Attack Protected Areas
These areas are protected on all apps, regardless of the security setting. Entering code that is not on the allowlist into any of these areas will not be stored.
| Account |
|
| Table |
|
| Field |
|
| Page (scene) |
|
| Page Elements |
|
IP Restrictions
If enabled, only IP addresses listed here will have access to the app. This setting is off by default and is available on Pro and higher-tier Knack plans.
Restrict API Responses
When this option is enabled, only fields added to the view will be included in any record responses. This applies to the following scenarios:
- Record updates triggered through Live App's JavaScript events
- View-based API requests
Please note that this setting does not apply to the following situations:
- Record inserts
- POST API requests
In these cases, all fields will always be returned in the response payloads, regardless of the "Restrict API Responses" setting.
By default, the "Restrict API Responses" option is enabled, meaning that only fields in the element will be included in the response payloads for record updates via Live App's JavaScript events and view-based API requests.
This option can be useful in certain situations:
- Reducing response payload size: If your elements contain only a subset of fields from the associated tables, restricting the API responses to include only those fields can significantly reduce the size of the response payloads. This can improve performance and reduce data transfer overhead.
- Controlling data visibility: In some cases, you may want to limit the fields returned in the API responses for security or privacy reasons. By enabling this option and carefully selecting the fields to include in your views, you can control which data is exposed through the API.
Enabling this option may affect any custom code or integrations that rely on the presence of specific fields in the API responses. Make sure to review and update any affected code or integrations accordingly when enabling or disabling this setting.
Secure Browser
With this setting enabled, if anyone accesses your Live App on http://, they'll automatically redirect to the https:// version.
Note: This setting is enabled automatically for new apps.