Display Rules and Data Security
Understanding how display rules work behind the scenes is crucial for maintaining proper data security in your Knack applications.
What you'll learn:
- How display rules handle data at the client and server level
- Security implications of using display rules to hide sensitive information
- Best practices for protecting sensitive data in your apps
- Alternative approaches for secure data handling
How Display Rules Work
Display rules in Knack operate entirely on the client side (in the user's browser), which has important implications for data security that builders should be aware of.
Client-Side Processing
When you create a display rule to hide a field:
- The field data is still sent to the browser - All field values remain in the underlying data structure
- JavaScript events still contain the data - Hidden fields are accessible through browser events
- Export functions include hidden data - CSV, TXT, and JSON exports will contain values hidden by display rules
Critical Security Note: Display rules should never be used as the primary method for protecting sensitive information.
Display rules are not meant to provide data security. Here are the key differences:
Browser Console Access
- Hidden field data is accessible through the browser's developer console
- Field values remain visible in network requests and JavaScript objects
Exports
- Hidden fields appear in exported data files
API Accessibility
- View-based API calls can still retrieve data from hidden fields
Scenarios
- Salary Information You use display rules to hide salary fields from certain user roles, but the data remains accessible through exports or JavaScript.
- Scenario 2: Internal Notes Administrative notes meant only for managers are hidden from staff but can be accessed through browser tools.
Best Practices
1. Use User Roles for True Security
Instead of display rules, implement proper user role restrictions:
- Create separate user roles
2. Separate Sensitive Data
For truly sensitive information:
- Create separate tables for sensitive data
- Use connection fields to link related information
- Restrict access to sensitive tables through user roles
3. Data Filtering
Ensure sensitive data never reaches the client:
- Use source filters to filter data at the database level
- Configure user role permissions to prevent data retrieval
4. Display Rules are for User Experience Only
Use display rules appropriately:
- Simplify complex forms by showing/hiding relevant fields
- Improve user experience with conditional field display
- Create dynamic interfaces that respond to user input
Best Practice: Think of display rules as a user experience tool, not a security feature.
Implementation Guidelines
When Display Rules Are Appropriate
✅ Good use cases:
- Showing/hiding fields based on form selections
- Creating cleaner interfaces by reducing visual clutter
- Implementing conditional field visibility for better UX
- Guiding users through multi-step processes
When to Use Alternative Security Measures
🚫 Avoid display rules for:
- Hiding sensitive personal information
- Protecting financial data
- Concealing administrative fields
- Any data that must remain truly private
Security Checklist
Before using display rules, ask yourself:
- Is this data truly sensitive?
- Would it matter if a technical user could access this information?
- Am I using this for user experience or security?
- Have I implemented proper user role restrictions?
- Are there alternative approaches that provide better security?
Remember: Display rules control what users see, but user roles control what data they can access. For sensitive information, always prioritize proper role-based security over client-side display rules.
Updated about 2 hours ago