Blog

Security Best Practices for Your PocketBase App

Ensure your application and data are secure. A guide to API rules, authentication, and server security settings.

Marcus Reed · Feb 17, 2024 · 3 min read security best-practices auth
Security Best Practices for Your PocketBase App

Security Best Practices for Your PocketBase App

Security is often an afterthought, but it should be priority #1. PocketBase provides powerful security tools, but they need to be configured correctly. Here is a checklist of best practices to secure your PocketBase application.

1. Master API Rules

API Rules are the firewall for your data. By default, collections might be private (good) or public (bad if user data).

The Principle of Least Privilege

Grant permissions only to those who absolutely need them.

Bad Rule: "" (Empty string = Public/Everyone)

Better Rule: @request.auth.id != "" (Any logged-in user)

Best Rule (Ownership): @request.auth.id = user.id (Only the owner)

Common Rule Patterns

  • Public Read, Admin Write:
    • List/View: ""
    • Create/Update/Delete: null (Admin only)
  • User Private Data:
    • List/View/Update: id = @request.auth.id
  • Shared Group Data:
    • List/View: group_members.user ?= @request.auth.id

2. Secure Your Admin Dashboard

Your admin dashboard is the keys to the kingdom.

  • Strong Password: Use a generated, long password for your admin account.
  • Limit Access: Don’t share the main admin credentials.
  • Disable Admin API: If you don’t need to manage collections programmatically, considering locking down admin access via reverse proxy rules if you are self hoisting (PocketBase Cloud handles infrastructure security for you).

3. Data Validation

Don’t trust the client. Even with API rules, valid users could send invalid data.

  • Field Constraints: Use the dashboard to set “Non-empty”, “Min/Max Length”, and “Regex” patterns for text fields.
  • File Restrictions: Limit file uploads by MIME type (e.g., only images) and Max Size.

4. Environment Variables

Never commit secrets to git.

  • API Keys: Store third-party API keys (Stripe, AWS, etc.) in System Settings > Secrets (if implementing hooks) or use OS environment variables.
  • PocketBase URL: In your frontend app, use .env files to store your API URL.

5. SMTP Configuration

Don’t use the default mail sender for production.

  • Configure your own SMTP server (SendGrid, Mailgun, AWS SES).
  • This prevents phishing and ensures your password reset emails land in the Inbox, not Spam.
  • Verify your sender domain (SPF/DKIM).

6. Backups

Data loss is a security issue.

  • PocketBase Cloud: We handle daily backups automatically.
  • Manual Export: Periodically download a full backup (pb_data) from the dashboard settings for off-site cold storage.

7. Rate Limiting

PocketBase has built-in rate limiting to prevent abuse.

  • Check logs regularly to spot suspicious activity.
  • If you see a surge of failing requests from an IP, it might be a brute-force attack. PocketBase Cloud’s firewall mitigates DDoS, but application-level abuse is worth monitoring.

Conclusion

PocketBase is secure by default, but flexible enough to be insecure if misconfigured. Take 15 minutes today to review your API Rules - it’s the single most impactful thing you can do for your app’s security.