HOW TO SECURE XANO

Step-by-step guide to securing your Xano no-code backend API builder.

Xano Security Context

Xano is a visual REST API builder — drag function-stack steps to compose endpoints, hit publish, get a URL. The visual model hides the security boundary: every endpoint you publish is internet-reachable, every step that queries the database returns whatever it queried (no row-level filter unless you add one), and the auto-generated CRUD endpoints are public unless you explicitly add the auth precondition. The recurring incident shape is “the API works in the test runner (which is authenticated as me), I shipped it, anyone can hit it without a token.”

Security Checklist

1. Add authentication preconditions to every protected endpoint (Critical)

In the API group’s Settings: set the auth source (User table) and require it. For each endpoint that should require auth: add a Precondition at the top of the function stack that checks for auth.id (or your equivalent) and returns 401 if absent. Without the precondition, the endpoint is public — even if it’s in an “authenticated” API group, individual endpoints can override.

2. Validate every input (Critical)

For each endpoint, configure Input filters: required, min/max length, allowed values for enums. Xano’s input filters reject the request before any function-stack step runs. Without filters, an attacker sends any payload — a 1MB string, a negative integer, a SQL keyword in what should be a username.

3. Audit API group permissions (Critical)

API → Groups: review each group’s auth setting (Public vs Auth required). Public groups should only contain endpoints meant for unauthenticated access (sign-up, password reset, public reads). Everything else goes in an authenticated group.

4. Lock down auto-generated CRUD queries (Critical)

The Xano CRUD generators produce a “Get All” / “Get Record” / “Add Record” / “Edit Record” / “Delete Record” set. Out of the box, “Get All” returns every row in the table. For user-scoped data: add a Filter step that constrains by auth.id == record.user_id. For “Edit” / “Delete”: add a Precondition that the record’s user_id matches auth.id. Same applies to the auto-generated “Get Record” — it accepts any ID by default, no ownership check. This is BOLA — see BOLA in AI-generated CRUD.

5. Configure CORS to your frontend domain (Critical)

API → Settings → CORS: set Allowed Origins to your frontend’s exact domain — not *. With cookie auth, allow-all CORS is a credential-stuffing pivot. See CORS credentials misconfig.

6. Set rate limits on auth endpoints

API → Settings → Rate Limit: configure per-IP limits. Tighten to ~10/min on /auth/login and /auth/signup. Without limits, the auth endpoints are a free credential-stuffing surface.

7. Audit external API connections

Settings → Add-ons → External APIs: every connected service has an API key stored in Xano. Audit the list — disconnect ones you no longer use. For ones you keep, rotate keys after any team-member departure.

8. Configure webhook signature verification

For incoming webhooks (Stripe, GitHub, etc.): add a Precondition that verifies the signature against the secret. Don’t trust the payload until the signature passes. See Stripe webhook and paid-trust.

9. Audit task scheduler

Tasks → Background Tasks: review every scheduled task. They run without a user context — confirm they don’t perform user-scoped operations without explicit user filters. Watch for tasks that send emails or make charges; an attacker who can trigger one can spam or bill.

10. Review file storage access

Storage → Configuration: set max file size, allowed extensions, scan for malware if available. For each upload endpoint: validate file type server-side after upload (not just from the client-supplied MIME), and serve files via a Xano endpoint that checks ownership, not via direct CDN URLs.

11. Enable request logging

Logs → Request History: review weekly for: bursts of traffic from a single IP, repeated 4xx auth errors, requests to endpoints you don’t recognize.

12. Move secrets to environment variables

Settings → Environment Variables: add Stripe / SendGrid / OpenAI keys here, not inline in function-stack steps. Function-stack steps that reference the env var don’t print the value to the request log.

13. Audit role-based access control

If you use a role field on the user table: confirm every endpoint that should be admin-only has a precondition auth.user.role == 'admin'. The auth.user object is set when the user authenticates — the role check should reference it, not a value the request can pass.

14. Set up IP allowlisting for admin

For Xano admin access: Workspace Settings → Security → IP Allowlist: restrict to your office / VPN IPs. Limits the blast radius of a credential leak.

15. Audit auto-generated Swagger

Xano auto-generates Swagger documentation at /api:<id>/docs. By default this is public — meaning the schema, parameters, and example payloads of every endpoint are publicly browsable. API Settings → Documentation: gate behind auth or disable for production.

16. Run a security scan

The full VibeEval scan probes Xano endpoints for missing auth, BOLA, and over-permissive responses.

Related Resources

Free Self-Audit Suite

Five free scanners.

Vibe Coding Security Risk Guide

Full risk catalogue.

BOLA in AI-Generated CRUD

The recurring BOLA pattern that affects Xano’s auto-generated endpoints.

Automate Your Security Checks

VibeEval scans your Xano API endpoints for missing auth preconditions, BOLA across user IDs, and exposed Swagger documentation.