Can everyone access my Pocketbase on the web? #2345
-
|
Hi, Just a quick question to understand it better. When i deploy proxy server where i serve my pocketbase instance at 'new PocketBase(https://example.com)'. Now user can create, update and delete data from Pocketbase while being on my website 'https://testwebsite.com'. The question is can every site connect to the database and create,update,delete data from my pocketbase? How can i restrict it only to my website 'https://testwebsite.com'. |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 1 reply
-
Only those requests that satisfy the API rules of your collections will be able to perform the related action. If you haven't already, you can check https://pocketbase.io/docs/api-rules-and-filters/.
I'm not sure that I understand what do you mean. If PocketBase is exposed to a public address then everyone can make requests against the server. Once again, this is OK as long as you have configured properly the correct API rules. You can restrict browser requests to your PocketBase web APIs by specifying a CORS origins policy using the ./pocketbase serve --origins=testwebsite.comNote that the above will prevent only other hosts/websites to send direct requests within the browser to your server. It will not prevent users sending requests via proxy, curl or any non-browser env. |
Beta Was this translation helpful? Give feedback.
-
|
I want the user to create a collection but have some prechecks that I want to do so how can I limit that user? because a malicious user can make a direct API call and create the collection. Because it only creates a user login... |
Beta Was this translation helpful? Give feedback.
-
|
@FarhanAliRaza I'm not sure I follow and I don't think your problem is related to the above discussion. Note that collections can be created and modified only by admins. Please consider opening a new discussion with a little more details about your use case and what are those "prechecks" that you want to implement. |
Beta Was this translation helpful? Give feedback.
-
|
ok I will create another discussion.. |
Beta Was this translation helpful? Give feedback.
-
|
By default, only admins can do anything. So practice safe password habits and you should be fine. |
Beta Was this translation helpful? Give feedback.
Only those requests that satisfy the API rules of your collections will be able to perform the related action. If you haven't already, you can check https://pocketbase.io/docs/api-rules-and-filters/.
I'm not sure that I understand what do you mean. If PocketBase is exposed to a public address then everyone can make requests against the server. Once again, this is OK as long as you have configured properly the correct API rules.
You can restrict browser requests to your PocketBase web APIs by specifying a CORS ori…