diff --git a/_includes/common/security.md b/_includes/common/security.md index 250288f3..fb3a447c 100644 --- a/_includes/common/security.md +++ b/_includes/common/security.md @@ -14,7 +14,7 @@ The master key, on the other hand, is definitely a security mechanism. Using the The overall philosophy is to limit the power of your clients (using client keys), and to perform any sensitive actions requiring the master key in Cloud Code. You'll learn how to best wield this power in the section titled [Implementing Business Logic in Cloud Code](#implementing-business-logic-in-cloud-code). -A final note: It is recommended to setup HTTPS and SSL in your server, to avoid man-in-the-middle attacks, but Parse works fine as well with non-HTTPS connections. +A final note: It is recommended to setup HTTPS and SSL in your server, to avoid man-in-the-middle attacks, but Parse works fine as well with non-HTTPS connections. ## Class-Level Permissions @@ -34,6 +34,12 @@ Almost every class that you create should have these permissions tweaked to some As a start, you can configure your application so that clients cannot create new classes on Parse. This is done by setting the key `allowClientClassCreation` to `false` in your ParseServer configuration. See the project Readme for an overview of [Configuring your ParseServer](https://github.com/parse-community/parse-server#configuration). Once restricted, classes may only be created from the Data Browser or with a the `masterKey`. This will prevent attackers from filling your database with unlimited, arbitrary new classes. +### Enforcing Private Users + +*Requires Parse Server 5.0.0+* + +By default, Parse Server creates Users with public read access. This allows other users, and un-authenticated users, to read data such as `email`. When moving to production, set the key `enforcePrivateUsers` to `true`, as this will remove the public read access to new users. + ### Configuring Class-Level Permissions Parse lets you specify what operations are allowed per class. This lets you restrict the ways in which clients can access or modify your classes. To change these settings, go to the Data Browser, select a class, and click the "Security" button. diff --git a/parse-server.md b/parse-server.md index 7c1a89ef..03ef9b8e 100644 --- a/parse-server.md +++ b/parse-server.md @@ -16,6 +16,9 @@ sections: - "parse-server/push-notifications.md" - "parse-server/push-notifications-clients.md" - "parse-server/class-level-permissions.md" +- "common/security.md" +- "common/performance.md" +- "common/errors.md" - "parse-server/file-adapters.md" - "parse-server/cache-adapters.md" - "parse-server/live-query.md"