After discovering some of the insecurities of using Parse.com to store data, I’ve been researching techniques to use to make applications more secure. I’ve discovered a number of ways to help secure your data and protect personal information stored in your database through settings and server-side code. If you use the JavaScript SDK to connect to Parse, some of these techniques are critical to secure your app.
Easy Win – Secure Your Classes
If you are running the JavaScript SDK on a production application, whether mobile or web-based, there are two quick wins to help secure your data.
Disable Class Creation
In order to stop people creating classes in your database (as I did in my previous article), you should turn off Class Creating. The setting can be found under [Settings] > [General Settings] > [App Permissions].
Set Class Level Permissions
If you want to stop users from accessing, creating or deleting data, you can set class-level permissions quite easily through the Parse.com Data Browser. For example, you may want to allow creation so users can register to your app, but you will want to disable deletion, so user data cannot be erased. Class-level permissions can be set by going to [Data Browser] > Select a Class > Click the [More] dropdown > Select [Set permissions].
In general, you should disable Delete and Add fields permissions for all classes. If you need the user to be able to delete rows from your Classes, you should use the ACL functionality to give the user permissions to delete only certain data. If you don’t need users to be able to access other users’ data, you should also disable Get and Find – these are crucial to keeping email addresses, usernames and other details stored in the default User class private.
The JavaScript user.logIn and user.signUp functions will continue to work even if Get and Find are disabled.
Overriding ACL using PHP
If you set restrictive permissions, either using ACL or class-level permissions, you can override these using server-side code and the Master Key. The unofficial PHP Parse library can be used to access your Parse database in a secure way, allowing you to delete data, for example.
Unfortunately, the documentation for the PHP library isn’t very good, so I’ve included examples of how to access, create or find data using the PHP library:
Using PHP to Remove Sensitive Data
Setting ACL on objects is your best defence to protect data and malicious behaviour, however, Parse’s ACL functionality is somewhat limited. While you can protect an entire row from read or writing, you cannot yet protect individual columns. For example, I cannot open up the default User class to all users, but to hide sensitive data (like email addresses) from everyone. It’s either all or nothing.
Using the default User class is the best way to authenticate users, but to keep it secure you should disable Get, Find, and Delete to the public so sensitive data is secure. If you need to expose data from this class to other areas of your application, you should use server-side code to display access the data, but at the same time hide what you don’t want everyone to see.
A simple example is:
The above code gets the first 100 users from the default User class, removed sensitive data (including email address and the Facebook auth token if it exists), and then returns the results in JSON format. This script can then safely be accessed using a AJAX call without having to worry about exposing private data.
If you have lots of data, you can easily add pagination to the API call. Also, if the data isn’t likely to change very often, you can also cache the results so you don’t have to request and strip the data every time it’s needed – this will also help in reducing your API requests.
Nice. Very Nice. Love Parse and their Javascript SDK but security has always worried me. Nice to have this all clearly thought out like this and good food for thought for future apps. refactoring EVERYTHING
thanks for very nice article. disabled Get & Find in data browser equal to postACL.setPublicReadAccess(false)?
Yes.
Thanks Niraj for the examples.
Could you also include an example on how to create mapping between classes using Pointers.
//use pointer to other class
$parse->userid = array(“__type” => “Pointer”, “className” => “_User”, “objectId” => $data[‘upload_data’][‘userid’]);
Anything on these lines.
Thanks.
Just for you, I’ve created a new tutorial covering Pointers, DataTypes and ACL.
[…] One of the most common question I get with Parse is how to use Pointers, DataTypes and ACL – this tutorial covers how to do all three in both PHP and JavaScript. […]
You mentioned being able to create paginated results, have a link to a tutorial with this on PHP?
I don’t have a tutorial for this, but you would rely on the
$query->setLimit()and$query->setSkip()parameters for the no of results, and offset respectively. You can pick these up from the PHP$_GETvariable as pass them into your Parse$queryto create pages.Here is a quick demo.
To go to a different page, just add
?p=10to the URL, to skip the first 10 results.pshould me a multiple of your default size for best results.hi i am just start to learn this, iam installed this parse sdk in my local xampp server here.
“Fatal error: Uncaught exception ‘Parse\ParseException’ with message ‘SSL certificate problem: unable to get local issuer certificate’ in C:\xampp\htdocs\planlet\src\Parse\ParseClient.php:251” i got this error while i running my test code
my test code is
require_once ‘autoload.php’;
use Parse\ParseObject;
use Parse\ParseQuery;
$app_id=’XXXX’;
$rest_key=’AAAAA’;
$master_key=’VVVV’;
ParseClient::initialize( $app_id, $rest_key, $master_key );
$object = new ParseQuery(“Schools”);
$playerName = $object->get(“schoolName”);
can you help me to solve this issues?
It looks like an issue with trying to check the SSL status of your local server. It’s not a ideal work-around, but you can try adding the below code to the
_request()function to theParseClient.phpfile (around line 245, but before$response = curl_exec($rest);):