This topic explains ways you can reduce your risk while implementing the EOTI role.
Use IP Filtering
You can disallow access to any Quickbase app from any network except your trusted network using IP filter rules (available in certain plans), only allowing the IP address or networks you define. You may limit access to the app from only the corporate network or VPN, as an example. This is useful for cases when you want to collect form submissions from internal staff who are not Quickbase users. In this way, your EOTI form is only available internally, not on the Internet.
Using custom permissions to allow access to records
Use custom table-specific permissions in Quickbase to limit the view of the parent record using one or more of the following rules:
-
When a child record has not been submitted (using a summary field).
-
For a limited period of time by using a Formula-Duration or Formula-Numeric field, for example, only within two minutes of the record being created.
-
Until another event is completed, such as selecting a checkbox field on the record.
Important: These permissions should never be used if the record data is not meant to be exposed publicly.
API usage with EOTI
There are two different architectures that support accessing data via our API. One is client side, or JavaScript pages that are created inside of a Quickbase app. While the pages are stored in Quickbase, the code runs in a user’s browser. These solutions are lightweight, fast, and easily deployable but do not have the security or durability of server-side solutions, where a developer creates a solution (sometimes referred to as a portal) that is hosted and run on a third-party infrastructure (not owned, maintained, or visible by Quickbase). This will be denoted by having an alternative domain where the portal is accessed.
Because JavaScript runs in the browser, the same security concerns and risk mitigation techniques should be followed. All guidance for native use of Quickbase (both acceptable and non-acceptable) applies when using JavaScript pages that call the Quickbase API