Iād go with an option to disable the security checks.
Thanks to @dblythyās PR this topic is picking up speed.
I think once the PR is merged, it would be good if someone from the core team would reach out to the video author and thank them for the critical security analysis and the subsequent discussion it triggered in our community. Once we have a nice dashboard view for the security checks, maybe we can motivate the video author to update their video or release another one. I assume improving security is - and should be - the single underlying motivation of analysis like these, so I would expect that both the author and our community can claim a win in demonstrating that this process works.
2 Likes
Hereās a blog @dplewis shared with me. Itās from the same author of the video. Some of the information is the same, but goes into some more details. It will be good to address as much as possible: https://healdb.tech/blog/parse.html
1 Like
@RodrigoSMarques thank you for this post, this has lead to some great improvements to Parse Server, such as:
- Parse Server restricts fileUpload to logged in users only
- Parse Dashboard can be used with 2FA
- Parse Server has the SecurityChecks feature which checks for common misconfigurations
Note that enabling these features does not guarantee security of data. With Parseās flexibility, itās up to you to make sure that data is restricted, and that weak points in your server stack are protected.
An example of a common vulnerability is returning a full Parse.Object that has been fetched with a masterKey from a Cloud Function.
Parse.Cloud.define('getObject', () => {
return new Parse.Query('Objects').find({useMasterKey: true});
});
This cloud function will return all objects to the user, regardless of ACL. This is just an example of how data security is in the hands of the developer.
Generally, I write my Unit Tests at the start of a project to cover common security protocols that I want the application to follow, such as:
- Ensuring users canāt query other users
- Ensuring users canāt edit other users
- Ensuring certain data isnāt returned from cloud functions / queries (making sure sensitive data is stripped out if required)
- Ensuring cloud functions only return the data that is necessary
We are continuing to work on Parse Server security and welcome any suggestions or ideas 
3 Likes
My english is not perfect but I would understand this the other way. Did you mean āallowsā instead of āpreventsā?
I have not found any flag in server options in the documentation. It the public upload blocked by default or is there undocumented option to setup? I would like to check that for properly setting it on Back4App service.
Thank you!
Youāre correct, itās a double negative. Iāve edited my comment.
These changes are on the master branch only, soon to be released on V5!
Perhaps to confirm my understanding, these will be activated by default and no entry in the config is necessary, correct?
Thank you!
Although we are hoping to continue to evolve Parse Server, we donāt want to force developers into time consuming changes. Breaking changes are a source of frustration for our community.
Public fileUpload is the only breaking change. SecurityChecks and MFA for dashboard will need to be activated manually. Although if youāre using B4A, you should already be able to use MFA on their dashboard, and your masterKey / databaseURL is probably already secure (as they are autogenerated).
I canāt find any docs on enableAnonymousUsers with the exception of the Parse Server API doc that only mentions that it exists.
I looked in the following locations for further explanation.
https://docs.parseplatform.org/parse-server/guide
https://docs.parseplatform.org/js/guide
So when you mention lazy developers you must be referring to the ones maintaining the docs?
This is my first time using Parse so I like to read through the docs so that I understand how to use the tech and make sure I am not getting myself into trouble. Iām not going to read source code just to figure out how a certain config option works. Bullet point #1 in your post is the most information about enableAnonymousUsers that I have been able to find so far.