Base44 security

Database Tables Publicly Accessible Without Authentication

Your Base44 app's database tables are readable by anyone, even unauthenticated visitors. Personal information, email addresses, passwords, payment details, and private business data are all accessible by directly querying the database through the app's API layer.

This happens because Base44's default table configuration may not enforce access restrictions, or the access rules were misconfigured during setup. Anyone who discovers the API endpoint or inspects network requests can pull all records from any table.

You might discover this when a user reports seeing other users' data, when you find your data indexed by search engines, or during a security review that reveals all tables are open.

Error Messages You Might See

All user records visible without login API returns full table data without authentication Sensitive fields exposed in API response Database records indexed by Google
All user records visible without loginAPI returns full table data without authenticationSensitive fields exposed in API responseDatabase records indexed by Google

Common Causes

  • Default table permissions left open — Base44 tables are created without row-level or table-level access restrictions enabled
  • No authentication required for read operations — The data API allows GET requests without any auth token or session
  • API endpoints exposed in frontend code — Network requests visible in browser DevTools reveal direct database query endpoints
  • Access rules only on UI, not data layer — Page-level restrictions hide the UI but the underlying data endpoints remain accessible
  • Admin tables not separated — Sensitive admin data lives in the same unrestricted tables as public content

How to Fix It

  1. Audit all table permissions — Go through every table in your Base44 dashboard and check who has read, write, and delete access
  2. Enable authentication on all data endpoints — Require a valid session or API token for any data read or write operation
  3. Implement row-level access — Configure rules so users can only read and modify their own records
  4. Separate public and private tables — Keep truly public content (blog posts, product listings) in separate tables from private data (users, orders)
  5. Test as an unauthenticated user — Open your app in an incognito window and check what data you can access without logging in

Real developers can help you.

Matt Butler Matt Butler Software Engineer @ AWS Sage Fulcher Sage Fulcher Hey I'm Sage! Im a Boston area software engineer who grew up in South Florida. Ive worked at a ton of cool places like a telehealth kidney care startup that took part in a billion dollar merger (Cricket health/Interwell health), a boutique design agency where I got to work on a ton of exciting startups including a photography education app, a collegiate Esports league and more (Philosophie), a data analytics as a service startup in Cambridge (MA) as well as at Phillips and MIT Lincoln Lab where I designed and developed novel network security visualizations and analytics. I've been writing code and furiously devoted to using computers to make people’s lives easier for about 17 years. My degree is in making computers make pretty lights and sounds. Outside of work I love hip hop, the Celtics, professional wrestling, magic the gathering, photography, drumming, and guitars (both making and playing them) Anthony Akpan Anthony Akpan Developer with 8 years of experience building softwares fro startups ISHANTDEEP SINGH ISHANTDEEP SINGH Senior Software Engineer with 7+ years of experience in React, JavaScript, TypeScript, Next.js, and Node.js. I’ve also worked as a tech lead for startups, owning end-to-end technical execution including architecture, development, scaling, and delivery. I bring a strong mix of hands-on coding, product thinking, and technical leadership, and I’m comfortable building products from scratch as well as improving and scaling existing systems. Luca Liberati Luca Liberati I work on monoliths and microservices, backends and frontends, manage K8s clusters and love to design apps architecture Vlad Temian Vlad Temian 15+ years shipping production infrastructure for startups. Former CTO at qed.builders (acquired by The Sandbox). Cursor ambassador and agentic tooling builder. I've scaled systems, automated deployments, and built observability tools for AI coding workflows. I specialize in taking vibe-coded apps from broken prototype to production-ready: fixing Supabase auth/RLS, Stripe integrations, deployment pipelines, and cleaning up AI-generated spaghetti. I build tools in this space (agentprobe, claudebin, micode) and understand both sides: how AI generates code and why it breaks. https://blog.vtemian.com/ Dor Yaloz Dor Yaloz SW engineer with 6+ years of experience, I worked with React/Node/Python did projects with React+Capacitor.js for ios Supabase expert Kingsley Omage Kingsley Omage Fullstack software engineer passionate about AI Agents, blockchain, LLMs. Krishna Sai Kuncha Krishna Sai Kuncha Experienced Professional Full stack Developer with 8+ years of experience across react, python, js, ts, golang and react-native. Developed inhouse websearch tooling for AI before websearch was solved : ) Jacek Rozanski Jacek Rozanski Senior PHP/Symfony developer and DevOps engineer with 20+ years of professional experience, running opcode.pl (web development agency, est. 2004). Day job: I'm the sole backend developer at merketing company where I own and maintain 11 PHP/Symfony microservices on AWS (ECS Fargate, RDS, S3, CloudFront), handle the full CI/CD pipeline (Bitbucket Pipelines, Docker), and manage monitoring with Sentry and CloudWatch. These services handle high request volumes in production every month. What I bring to AI-built apps: - I audit and fix security issues (OWASP methodology), performance bottlenecks, and architectural problems in codebases generated by Cursor, Claude Code, Lovable, Bolt, and v0 - I refactor AI-generated prototypes into production-grade applications with proper error handling, testing, and clean architecture (SOLID, DDD, hexagonal architecture) - I set up the infrastructure AI tools don't touch: AWS hosting, CI/CD pipelines, automated deployments, database optimization, monitoring, and alerting - I integrate external services: payment providers, email systems, partner APIs, SSO/auth Tech stack: PHP 8.x, Symfony, React, Next.js, PostgreSQL, MySQL, Docker, AWS (ECS, RDS, S3, SQS/SNS, CloudFront), Terraform, Supabase. I also use AI tools daily (Claude Code, Cursor) in my own workflow, so I understand both the strengths and the gaps in AI-generated code. Based in Poland (CET timezone). Available for async work and calls during EU/US business hours.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

How do I check if my Base44 tables are publicly accessible?

Open your app in an incognito browser window without logging in. Try accessing data pages or inspect network requests in DevTools. If you can see table data without authentication, your tables are public.

Can I restrict access to specific fields within a table?

Base44 typically allows table-level and row-level access rules. For field-level restrictions, you may need to create separate tables for sensitive fields and apply stricter access rules to those tables.

Related Base44 Issues

Forms Accept Any Input Without Validation

security

Admin Panel Accessible Without Login

security

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help