Security and Privacy Settings
The Script Attack Protection setting is a security feature that prevents the storage and execution of specific custom code elements and attributes that are not on the allowlist.
Script Attack Protection
This setting prevents the storage and execution of specific custom code, that is not allowed, in record values and views on record creation or update. This helps keep your apps secure and prevents input-based hacks.
Notes: New apps have this setting enabled by default. Rich text views continue to allow scripts when this setting is enabled.
Script Attack Protection Allowlist
When enabled, code that is not on our allowlist will be prevented from saving in field values. Other values submitted will be saved as normal.
When form submission occurs, there will be no notification regarding the sanitization process in either the Live App or Builder; the affected values will simply not be saved.
Allowed Elements and Attributes
| Category | Items |
|---|---|
| Allowed Tags | h1, h2, h3, h4, h5, h6, blockquote, p, del, a, ul, ol, nl, li, b, i, strong, em, strike, code, hr, br, div, table, thead, caption, tbody, tr, th, td, pre, iframe, img, span, font, meter, button, progress, path, small, var, sub, sup, u, details, summary |
| Allowed Attributes | a: ['style', 'href', 'name', 'target'] |
| Allowed Self-Closing Tags | img, br, hr, area, base, basefont, input, link, meta |
| Allowed Schemes | HTTP, HTTPS, FTP, mailto, href, src, cite |
Important Notes
- Script Attack Protection is not applied to the API & Code section of your app
- Rich Text elements continue to allow scripts when this setting is enabled
- All text fields (not just rich text) allow the use of HTML, but the HTML is sanitized against our documented allowlist. You can't use a SCRIPT tag, for example.
Examples
-
<script src="google.com">Hello world!</script>
Saves as having no value. Why? The<script></script>tag is code that is not on our allowlist. -
<b onclick="alert('hello')">Hello world!</b>
Saves as<b>Hello world!</b>Why? The "onclick" portion is code that is not on our allowlist. -
<b>Hello world!</b>
Saves as<b>Hello world!</b>Why? This HTML code is allowed.
Script Attack Protected Areas
These areas are protected on all apps, regardless of the security setting. Entering code that is not on the allowlist into any of these areas will not be stored.
| Area | Protected Elements |
|---|---|
| Account |
|
| Table |
|
| Field |
|
| Page (scene) |
|
| Page Elements |
|
Support Access
Checking this box enables the Knack Support team access to view your app while troubleshooting.
Note: This setting is enabled automatically for new apps.
IP Restrictions
If enabled, only IP addresses listed here will have access to the app. This setting is off by default and is available on Pro and higher-tier Knack plans.
Restrict API Responses
When this option is enabled, only fields added to the view will be included in any record responses. This applies to:
- Record updates triggered through Live App's JavaScript events
- View-based API requests
This setting does not apply to:
- Record inserts
- POST API requests
In these cases, all fields will be returned in the response payloads, regardless of this setting.
By default, the "Restrict API Responses" option is enabled. This can:
- Reduce payload size
- Control data visibility
Be sure to review any custom code or integrations that rely on field presence before changing this setting.
Secure Browser
With this setting enabled, if someone accesses your Live App over http://, they’ll automatically be redirected to the secure https:// version.
Note: This setting is enabled automatically for new apps.
Updated 25 days ago