HOW TO SECURE BASE44 - SECURITY GUIDE | VIBEEVAL

Base44 Security Context

Base44 ships full-stack apps with built-in auth, a managed database, and built-in entities — there’s no separate Supabase or Firebase to configure. That sounds like less surface area, but it just moves the configuration: every entity has a permissions panel, every API endpoint has a “who can call this” toggle, and the defaults are open. The recurring shape we see is “I built it, I shipped it, I never touched the entity permissions, the data was public.”

Security Checklist

1. Configure entity permissions for every entity

In the Base44 dashboard: Entities → [entity] → Permissions. Set the four operations (read, create, update, delete) to one of: public, auth, owner, admin. The default for new entities is often auth or public — if it’s user-scoped data, owner is what you want. Walk every entity in the project before launch; missing this is the Base44 equivalent of missing RLS.

2. Add server-side validation in functions

Base44 functions ship with no input validation by default. Add a Zod (or equivalent) schema at the top of every function:

const Body = z.object({ amount: z.number().positive().max(10000) })
const data = Body.parse(req.body) // throws on invalid

Without this, anyone can POST any payload — a 1GB string, a negative amount, an unexpected field that happens to map to a sensitive column.

3. Authenticate every API endpoint

Base44 functions are public by default. Add if (!user) throw new Error("Unauthorized") at the top of every protected function — user is provided by Base44’s auth middleware when the user is logged in. Functions in /public/ are intentionally open; everything else needs the check.

4. Sanitize user input before rendering

If a function returns user-generated text that later renders as HTML / Markdown, sanitize before storing or before rendering. The recurring bug is “store raw, render with dangerouslySetInnerHTML,” which is XSS. See LLM-rendered HTML/Markdown for the AI-content variant.

5. Validate file uploads

In the file upload function: check file extension, check MIME type, check size, and reject anything you don’t expect. Base44’s storage doesn’t enforce limits by default. The bug shape is an “image upload” that accepts a .zip and processes it server-side; see file upload zip-slip / XXE.

6. Strengthen password and rate-limit auth

In Settings → Authentication: set a minimum password length (8+), require a number/symbol, enable email verification. For rate limits: Base44 doesn’t expose a per-route limit in the dashboard, so add it in your auth function — track failed attempts per IP in a login_attempts entity and reject after 10 within 15 minutes.

7. Disable debug mode in production

In Settings → Environment: confirm DEBUG = false for the production environment. Base44 dev environments often have verbose error pages that leak file paths and the function source — make sure those are off in prod.

8. Configure CORS for the production domain

If your Base44 functions are called from a separate frontend, set the CORS allow-origin to your frontend’s domain. Default is open. With credentials, open CORS is a credential-stuffing pivot.

9. Add per-IP rate limiting on expensive endpoints

Beyond auth, any endpoint that costs you money (LLM calls, image generation, external API calls) needs a per-IP and per-user limit. Track in a rate_limits entity and reject when over. Without this, one user with a script can run up your bill in minutes.

10. Use HTTPS — verify cert chain

Base44 deployments are HTTPS by default. For custom domains, verify the cert chain is complete (openssl s_client -connect yourdomain.com:443 -showcerts). HSTS goes on once the chain is stable.

11. Secure session management

Base44 sessions are httpOnly cookies by default — verify in DevTools → Application → Cookies → check HttpOnly and Secure are true. Set session expiry to ≤ 7 days. Rotate session on password change and on role change.

12. Audit OAuth integrations

If you wired Google / GitHub / etc. OAuth: in the provider’s dashboard, restrict the redirect URI to your production domain only. A wildcard or extra dev URL is an account-takeover surface. See SSRF / open redirect / OAuth for the recurring shapes.

13. Enable audit logging

In Settings → Logs: enable the audit log feed. After launch, watch for: bulk reads from a single IP, repeated 401s on auth endpoints, requests to entities with public read where you didn’t expect public traffic.

14. Test with two accounts (BOLA)

Sign up as user A, create a record, copy the URL. Sign up as user B, paste the URL. If user B sees user A’s record, the entity permissions are wrong (probably auth instead of owner). See BOLA in AI-generated CRUD.

15. Run a security scan

The Vibe Code Scanner covers the deploy-side patterns; the full VibeEval scan adds BOLA, role-escalation, and webhook-trust probes.

Common Vulnerabilities in Base44 Apps

Entity Permissions Left Open

auth permission means “any logged-in user” — fine for a global feed, wrong for a personal inbox. The fix is owner permission with the ownership field configured.

Functions Without Auth Checks

Every Base44 function is publicly callable until you add the check. The bug ships when the founder uses the chat to “create a function that updates user profile” and the chat skips the auth gate.

Self-Editable Role Fields

If your users entity has a role or is_admin field, the default update function accepts any field. A user PATCH’ing their own profile can set is_admin: true. Strip role-related fields from the update payload server-side.

Verbose Error Responses

Base44’s default error response includes the function file and line. Wrap your handlers and return {"error": "Internal server error"} to clients in production.

Related Resources

Free Self-Audit Suite

Five free scanners.

Vibe Coding Security Risk Guide

Full risk catalogue.

Bolt vs Base44 Tech Stack

How the two platforms differ in default security posture.

Automate Your Security Checks

VibeEval scans your Base44 application against every category above plus 305 more probes. Findings ship with fix prompts you can paste into the Base44 chat for one-shot remediation.