Securing your Convex API
One thing that concerns me a little; how does Convex protect intruders? It feels like if anyone can get ahold of your
.convex.cloud url they can do anything? I don't think I've configured my production app URL anywhere for CORS or anything5 Replies
You should consider your Convex backend as a publicly available API, so any endpoints you expose (via non-internal functions) should be written with that understanding. Authentication and authorization are how you generally gate access. There's more discussion in posts on this discord around handling abuse, rate limiting, etc.
Thanks, that makes sense to wrap the head around
What do you mean by anything? What can they do if they find our
.convex.cloud url?(the
.convex.cloud url isn't considered private, so they shouldn't be able to do anything bad, but i'm curious about specific concerns)They can do something bad if your public functions and query code, that you wrote, lets them do something bad.