Security of the Parse.User object in Cloud Code


I’d like to know what the validity of the request.user object is in Cloud Code functions.

It would be useful to know at what point it is applied to the request object and whether it could be altered by someone with malicious intent before the request reaches the server?


The request.user is NOT sent by the client to the API. Parse Server uses the X-Parse-Session-Token header to retrieve the current user and set it to the request.user object. So the unique way for someone to change it would be by intercepting another’s session token somehow. That’s actually the same risk for all other API calls.

1 Like

Thanks, that’s very useful information :facepunch:

Might be nice to add some information about this and other aspects of cloud code security to the guide at some point.

1 Like