Page Rules and Data Security

What you'll learn:

• How page rules work at the client level
• Security limitations of using page rules for data protection
• Why hidden elements and redirects are not security features
• Best practices for implementing proper access control in your apps

How Page Rules Work

Page rules operate primarily on the client side (in the user's browser), and it is important for builders to know that they are not a security feature.

Client-Side Processing

When you create page rules to hide elements or redirect users:

• Data is still sent to the browser - All page data loads before rules execute
• JavaScript can access hidden content - Browser developer tools can reveal concealed elements
• API endpoints remain accessible - Direct API calls can bypass page rule restrictions

🚧

Critical Note: Page rules should never be used as the primary method for protecting sensitive information or controlling access to data.

Browser Developer Tools

• Users can inspect the page source and reveal hidden elements
• JavaScript console can override page rule behaviors
• Network requests show data sent to the browser

API Accessibility

• Direct API calls bypass page rules entirely - Users can access view-based APIs regardless of page rules

Page rules are user experience enhancements, not security controls.

• Page rules execute after data loads in the browser
• Rules modify presentation, not data access

👍

If data shouldn't be accessible to a user, it shouldn't be sent to their browser in the first place.

Secure Alternatives and Best Practices

1. Use User Roles for True Security

Implement proper server-side access control:

• Create distinct user roles
• Use source filters to filter data at the database level

2. Proper Page Access Control

Instead of page rules for security:

• Restrict page access through user role settings in the Access tab
• Use login requirements to control who can reach pages
• Create role-specific pages rather than hiding content conditionally

3. Data Filtering

Ensure sensitive information never reaches unauthorized users:

• Configure source filters to filter data based on user context
• Use connection field filters to limit related data access

4. Use Page Rules Appropriately

Page rules excel at improving user experience:

• Guide users through workflows with contextual redirects
• Simplify interfaces by showing relevant elements
• Provide helpful messaging based on data conditions
• Create dynamic user journeys that respond to user actions

Best Practice: Use page rules to enhance user experience for users who already have proper access permissions.

Implementation Guidelines

When Page Rules Are Appropriate

✅ Good use cases:

• Redirecting users to complete required profile information
• Showing contextual messages based on data status
• Hiding irrelevant forms to reduce complexity
• Creating guided workflows for different user types

When to Use Security Controls Instead

🚫 Avoid page rules for:

• Protecting sensitive data from unauthorized access
• Controlling access to administrative functionality
• Hiding confidential information
• Implementing permission-based restrictions

Security Checklist

Before implementing page rules, ask yourself:

• Am I using this for user experience or security?
• Would it matter if a technical user bypassed this rule?
• Have I implemented proper user role restrictions?
• Is the underlying data properly secured at the server level?
• Are there API endpoints that could bypass these rules?

View-Based API Calls

• Page rules that hide views don't prevent direct API access to those views
• Users could still make HTTP requests directly to view endpoints

Remember: Page rules control what users see in your interface, but user roles and source filters can control what data they can actually access. For any security-sensitive scenarios, always implement proper role-based access control first, then use page rules to enhance the user experience.