Security and Privacy Settings
The Script Attack Protection setting is a security feature that prevents the storage and execution of specific custom code elements and attributes that are not on the allowlist.
Script Attack Protection
This setting prevents the storage and execution of specific custom code, that is not allowed, in record values and views on record creation or update. This helps keep your apps secure and prevents input-based hacks.
Notes: New apps have this setting enabled by default. Rich text views continue to allow scripts when this setting is enabled.
Script Attack Protection Allowlist
When enabled, code that is not on our allowlist will be prevented from saving in field values. Other values submitted will be saved as normal.
When form submission occurs, there will be no notification regarding the sanitization process in either the Live App or Builder; the affected values will simply not be saved.
Allowed Elements and Attributes
| Category | Items |
|---|---|
| Allowed Tags | h1, h2, h3, h4, h5, h6, blockquote, p, del, a, ul, ol, nl, li, b, i, strong, em, strike, code, hr, br, div, table, thead, caption, tbody, tr, th, td, pre, iframe, img, span, font, meter, button, progress, path, small, var, sub, sup, u, details, summary |
| Allowed Attributes | a: ['style', 'href', 'name', 'target'] h1-h6: ['style'] blockquote: ['style'] p: ['style'] del: ['style'] ul: ['style'] ol: ['style'] nl: ['style'] li: ['style'] b: ['style'] i: ['style'] strong: ['style'] em: ['style'] strike: ['style'] code: ['style'] hr: ['style'] br: ['style'] div: ['style'] table: ['style'] thead: ['style'] th: ['style'] td: ['style'] tr: ['style'] tbody: ['style'] caption: ['style'] pre: ['style'] span: ['style'] href align center iframe: [all attributes] img: [all attributes] id class font: ['face', 'color', 'size'] button: ['style', 'type'] progress: ['value', 'max'] meter: ['value', 'min', 'max', 'optimum'] path: [all attributes] |
| Allowed Self-Closing Tags | img, br, hr, area, base, basefont, input, link, meta |
| Allowed Schemes | HTTP, HTTPS, FTP, mailto, href, src, cite |
Important Notes
- Script Attack Protection is not applied to the API & Code section of your app
- Rich Text elements continue to allow scripts when this setting is enabled
- Contact Knack support via the chat widget in the Builder or by submitting a form if you need additional elements added to the whitelist
Examples:
<script src="google.com">Hello world!</script>
Saves as having no value.- Why? The
<script></script>tag is code that is not on our allowlist.
- Why? The
<b onclick="alert('hello')">Hello world!</b>
Saves as<b>Hello world!</b>- Why? The "onclick" portion is code that is not on our allowlist.
<b>Hello world!</b>
Saves as<b>Hello world!</b>- Why? This HTML code is allowed.
Script Attack Protected Areas
These areas are protected on all apps, regardless of the security setting. Entering code that is not on the allowlist into any of these areas will not be stored.
| Area | Protected Elements |
|---|---|
| Account | - Name - Slug |
| Table | - Name |
| Field | - Name - Default Values - Formatting |
| Page (scene) | - Name |
| Page Elements | - Name - Title - Description - Label "Reload Form" text "Submit" button text "No Data" text - Links - Groups - Columns - Field inputs |
Support Access
Checking this box enables the Knack Support team access to view your app while troubleshooting.
Note: This setting is enabled automatically for new apps.
IP Restrictions
If enabled, only IP addresses listed here will have access to the app. This setting is off by default and is available on Pro and higher-tier Knack plans.
Restrict API Responses
When this option is enabled, only fields added to the view will be included in any record responses. This applies to the following scenarios:
- Record updates triggered through Live App's JavaScript events
- View-based API requests
Please note that this setting does not apply to the following situations:
- Record inserts
- POST API requests
In these cases, all fields will always be returned in the response payloads, regardless of the "Restrict API Responses" setting.
By default, the "Restrict API Responses" option is enabled, meaning that only fields in the element will be included in the response payloads for record updates via Live App's JavaScript events and view-based API requests.
This option can be useful in certain situations:
- Reducing response payload size: If your elements contain only a subset of fields from the associated tables, restricting the API responses to include only those fields can significantly reduce the size of the response payloads. This can improve performance and reduce data transfer overhead.
- Controlling data visibility: In some cases, you may want to limit the fields returned in the API responses for security or privacy reasons. By enabling this option and carefully selecting the fields to include in your views, you can control which data is exposed through the API.
Enabling this option may affect any custom code or integrations that rely on the presence of specific fields in the API responses. Make sure to review and update any affected code or integrations accordingly when enabling or disabling this setting.
Secure Browser
With this setting enabled, if anyone accesses your Live App on http://, they'll automatically redirect to the https:// version.
Note: This setting is enabled automatically for new apps.
Knack uses HERE Maps to display maps and geolocate address fields. This setting can be found on the App Settings > Map Provider page. Details for the settings and options available for maps and Address fields can be found in the map-provider-settings article.
Updated 9 days ago