HOW SECURE IS APPWRITE? (B)

Rating: B

Appwrite is safe as a backend platform. The score reflects two patterns: permissive collection-level permissions on new databases, and rate-limit gaps on self-hosted deployments.

Top failure modes

1. Over-permissive collection rules — New collections default to ‘Any’ role for read/write until you scope them. Easy to miss; devastating when shipped.

2. Exposed integration keys in frontend — Appwrite server API keys end up in environment variables that get bundled into client-side code.

3. Rate limits disabled on self-hosted — Common for self-hosters. Opens brute-force and abuse vectors on auth endpoints.

How to make Appwrite safer

1. Treat the defaults as a starting point, not a secure configuration.
2. Audit each failure mode above against your specific deployment.
3. Run an automated scan against the deployed app — UI signals rarely surface the backend issues.
4. Re-scan after every material change (new table, new Edge Function, new env var).

For the full analysis of Appwrite’s platform, defaults, and the failure modes we find on real deployments, see Is Appwrite Safe?.

Related

• Supabase vs Appwrite Security

FAQ

Is Appwrite secure by default?

Appwrite Cloud ships reasonable defaults; self-hosted deployments skip some. The collection-level permission model requires explicit role configuration — ‘Any’ writes are common in early-stage projects.

How does Appwrite compare to Supabase on security?

Roughly equivalent at the infrastructure layer. Appwrite’s permission model is more granular (per-collection, per-role) which can be safer if configured, or worse if defaults are accepted.

Does Appwrite Cloud have a SOC 2 report?

Appwrite Cloud has been working toward SOC 2 Type II compliance; check their trust center for the latest status before making enterprise-procurement decisions.