UI Bakery Docs
RoadmapRelease notesSign In
  • 👋Welcome to UI Bakery!
  • 🌟Overview
    • 💡Video intro
    • ✨Main features
    • 🔖Glossary
  • 🛠️Getting started
    • Create an application
    • Build UI
      • Data mocking methods
    • Link components
    • Connect a data source
    • Load data
    • Bind data to UI
    • Transform data with JavaScript
      • Data mapping & transforming
    • Change component data
    • Send a form
    • Create a filter
    • Note on debugging
    • Deploy your application & invite users
  • 📌Concepts
    • Components
      • Component basics
      • Component methods
      • Components best practices
        • Input validation
        • Linking a Table to a Form/Detail
        • Using a single Form to add and update data
        • Searching Table based on input value
        • Configuring server-side pagination
        • Managing Date object time zones
        • Role-based Menu component items
        • Field types & types recognition
          • Select/Tag field: Utilizing Tag mapper
        • Expanding component to fit screen/container
        • Controlling component's visibility
    • Custom components
      • Unrestricted custom components
    • Data sources
      • Data source environments
      • Connecting local database via ngrok
      • SSH Tunneling
    • Actions
      • Actions basics
        • Calling actions from code
      • Actions management & shortcuts
      • Actions settings
      • Actions library
      • Server actions
      • Logs and debugging
    • UI Bakery variables
    • State variables
    • Local storage
    • Modules
    • Custom JavaScript
      • JavaScript files
    • Workspace management
      • Account & workspace
      • Seats & Shared permission groups in UI Bakery
      • Roles in UI Bakery
      • Role permissions
      • Explore the interface
      • App environments
        • Release management
      • Audit logs
      • Multi-factor authentication
    • Export & import an app
    • Mobile layout
    • Theme editor
      • Changing theme from the app
    • UI Bakery source control
      • Git controls overview
      • Migrating your app model to the latest version
  • ⚡How-tos
    • File management
      • Working with PDF files
      • CSV import & export
      • Uploading files using methods
      • Displaying files from Google Drive and Dropbox
      • Parsing and sending XML
    • Styling
      • Modifying components with CSS
    • Layout & navigation
      • Adding navigation to application
      • Reading query params from URL
      • Hiding UI Bakery loader in the Embedded mode
    • Data
      • Managing user data with the {{user.email}} variable
      • Using JS libraries
        • Internationalization (i18n) & Localization: Translating UI Bakery Apps
      • Implementing row-level security
      • Copying to clipboard
    • Custom code
      • Communicating with external sites via Iframe
      • Implementing custom app hotkeys
      • Retrying API with HTTP status code 202
  • 🔎Extras
    • UI Bakery Automations
      • Environment and release strategy
      • Git in automations
      • Using external Node libraries
    • UI Bakery Database
      • Database migration
  • 💻On-premise
    • UI Bakery on-premise
    • Install & update
      • Installing on-premise
        • Azure virtual machine
        • Azure container instance
        • AWS EC2 instance
        • Google Cloud Compute Engine VM instance
        • DigitalOcean 1-click droplet
        • Manual w/ docker compose
        • Manual w/ docker run
        • Windows installation
        • Kubernetes
          • AWS EKS with Fargate
          • Scaling and resource optimization
      • Troubleshooting installation errors
      • Updating on-premise
      • Updating license key
      • Updating environment variables
      • Recommendations
        • Architecture overview
        • UI Bakery in production
        • Resource optimization
        • Running a standalone database instance
        • Generating custom secrets
    • On-premise features
      • External analytics
      • Branding
      • Embedding
      • SCIM 2.0
      • Instance API
      • Activating features under a feature flag
    • Additional configurations
      • Health check API
      • Email configuration
      • Google Sheets connection setup
      • Salesforce connection setup
      • Azure blob storage configuration
      • Adding python backend code to existing installation
      • UI Bakery Postgres
    • Networking & security
      • Setting up a domain name
      • Configuring custom certificate authority
      • Custom base URL
      • Getting requests to the local network
      • Setting up SSL on Ubuntu
    • SSO
      • OpenID
        • Google OAuth2
        • Okta ODIC
        • Azure AD OAuth2
        • Token refresh
      • SAML
        • Okta SAML
        • Azure AD SAML
      • Role synchronization
      • Multiple SSO
      • Logout redirect
      • Troubleshooting
    • Git source control
      • Manage multi-instance deployment
      • Custom PR URL
      • Automate GitHub releases
      • Automate GitLab releases
      • Automate Bitbucket releases
    • Environment variables
  • 📚Reference
    • Data security measures
    • Improving app security
    • ✨AI Assistant
    • List of Components
      • Azure Blob Storage file uploader
      • Accordion
      • Alert
      • Avatar
      • Boolean
      • Breadcrumbs
      • Bubble map
      • Button
      • Card
      • Chart
      • Chat
      • Checkbox
      • Collapsible card
      • Color picker
      • Composite form
      • Container
      • Context menu button
      • Currency
      • Currency input
      • Date picker
      • Date & time
      • Date & time picker
      • Detail
      • Divider
      • Email input
      • Embedded App
      • File
      • File dropzone
      • File picker
      • Flex container
      • Form
      • Frame drawer
      • Grid view
      • Heading
      • Horizontal menu
      • Icon
      • iFrame
      • Image
      • Image picker
      • JSON editor
      • JSON viewer
      • Link
      • List view
      • Map
      • Menu
      • Metric
      • Modal
      • Multi-select
      • Number
      • Number input
      • Password input
      • PDF viewer
      • Percent
      • Pop-up form
      • Progress bar
      • QR code
      • Radio
      • Range slider
      • Rating
      • Reusable header
      • Reusable sidebar
      • Select
      • Signature
      • Slider
      • Steps
      • Stepper
      • S3 file uploader
      • Table
        • Conditional formatting based on cell value
        • Display name instead of ID for relation
        • Row context referencing
        • Select multiple table rows
        • How to Highlight Text in a Table Using mark.js
      • Tabs
      • Tabset
      • Tags
      • Text
      • Text annotate
      • Text input
      • Time picker
      • Toggle
      • Tree component
      • Video
      • Dynamic structure properties
      • Card (deprecated)
      • Input (deprecated)
    • Upgrading components
    • List of Data sources
      • Airtable
      • AWS API
      • AWS Athena
      • AWS DynamoDB
      • AWS Lambda
      • AWS Redshift
      • AWS S3
        • S3 compatible endpoints (DigitalOcean spaces)
      • Azure Blob Storage
      • Big Query
      • Databricks
      • Exasol
      • Firestore, Firebase Auth & Realtime DB
        • Firebase authentication
        • Managing database data
        • Firebase client-side SDK
        • Firebase libraries
      • GitHub
      • Google Sheets
      • GraphQL
      • HTTP API
        • API Authentication
      • HubSpot
      • JDBC
      • MariaDB
      • MongoDB
      • MySQL
      • OpenAI
      • OpenAPI
      • Oracle
      • PostgreSQL
      • Presto
      • Redis
      • Salesforce
      • SAP Hana
      • SendGrid
      • Slack
      • SMTP
      • Snowflake
      • Spanner
      • SSH
      • Stripe
      • SQL Server
      • Supabase
      • Twilio
      • UI Bakery AI
    • List of Action steps
      • AI Action
      • Azure Blob Storage Query
      • Bulk Create Rows
      • Bulk Delete Rows
      • Condition
      • Create Row
      • Delete Row
      • DynamoDB Request
      • Execute Action
      • Firebase Query
      • Generate File
      • GraphQL Query
      • HTTP Request
      • Interval
      • JavaScript Code
      • Load Table
      • Load Row
      • Loop Action
      • MongoDB Command
      • Navigate
      • Open API Request
      • Python Backend Code
      • Redis Command
      • Save to Local Storage
      • Save to State
      • Show Notification
      • Slack messages
      • SMTP Request
      • SSH Command
      • SQL Query
        • Writing SQL Queries
      • S3 Query
      • Update Row
    • Troubleshooting techniques
    • Performance optimization
Powered by GitBook

© 2025 UI Bakery

On this page
  • Avoiding SQL injections when "Convert SQL queries to prepared statements" is disabled
  • Managing anonymous access in public applications
  • Securing current user context

Was this helpful?

Export as PDF
  1. Reference

Improving app security

PreviousData security measuresNextAI Assistant

Last updated 2 months ago

Was this helpful?

Security is a critical part of building internal applications, especially when these applications access private company information. In this article, you'll find suggestions and improvements how to enhance your app security.

Avoiding SQL injections when "Convert SQL queries to prepared statements" is disabled

By default, when connecting a database to UI Bakery, the Convert SQL queries to prepared statements option is enabled. This ensures that data source interactions are handled securely and efficiently:

  • The SQL query is parameterized and stored on the back-end never being sent from the client-side. This ensures that the end user cannot alter the query before execution.

  • Client-side query parameters are escaped before being added to the query, ensuring protection against SQL injections.

In some use cases, it is required to , which requires this setting to be disabled and the query to be sent from the client at runtime. In this scenario, the user can alter the query before sending it which may damage the data source.

In this case, consider taking the following actions to improve security:

  • Create a separate data source with limited data/structure access and/or limited privileges. For example, if you need to access specific table data, create a database user restricted to that table and with no/limited permissions to other tables and databases.

  • Additionally, you can move the SQL-query creation Action to an and call it as a webhook (an Http request) from the main application. In this implementation, the query generation is executed on the server preventing the end user from altering it.

Managing anonymous access in public applications

By default, data source access is controlled via roles and permissions that restrict access for anonymous users. This method is effective for private apps but unsuitable for public apps that rely on anonymous user access.

To manage access, you can configure data sources to either allow or disallow anonymous access. Disallowing anonymous access completely blocks anonymous users, while enabling it grants them access to a data source.

This means a bad actor can investigate requests made from the application to the data source, adjust parameters, or even execute arbitrary SQL queries if the Convert SQL queries to prepared statements setting is disabled on a data source.

For security reasons, we strongly recommend making your application private and using the UI Bakery authentication layer. If this is not feasible, consider the following recommendations to enhance your app's security:

  • Ensure data sources with anonymous access allowed have only the necessary permissions. Create a separate data source with limited data/structure access and/or limited privileges. For example, if you need to access specific table data, create a database user restricted to that table and with no/limited permissions to other tables and databases.

  • Relocate essential logic to a custom backend service and manage access with user-specific, time-limited tokens.

Securing current user context

By default, UI Bakery ensures that such variables as {{user.email}} and {{user.role}} are applied on the server side, when used in SQL queries.

In other cases, for example, when {{user.email}} is used in an HTTP request or in a Load Row action step, it is sent from the client side, meaning it can be altered by the end user before sending.

  1. Create an automation using the {{user.email}} variable. In our example, we used UI Bakery Postgres data source and a Load Row action.

  1. Copy the automation webhook URL (right side panel) and create a new HTTP API data source:

    1. Give the data source a distinctive name, for example, Load current user.

    2. Provide the URL and key from the copied webhook in the data source settings.

  1. Use this data source in an HTTP Request action step.

Here, you can see that the current user email is securely accessed from the user context without being transmitted from the client side.

In certain scenarios, securing the current user context is essential, for example when implementing in your applications.

To prevent unexpected behaviors, we suggest moving such actions to an . When automation is initiated from the UI Bakery app, the backend ensures that the {{user}} variable refers to the currently logged-in user. Check out the instruction below how you can do that

📚
row-level security
👇
Automation
Automation
generate an SQL query on a client