Database Tables Publicly Accessible Without Authentication
Your Base44 app's database tables are readable by anyone, even unauthenticated visitors. Personal information, email addresses, passwords, payment details, and private business data are all accessible by directly querying the database through the app's API layer.
This happens because Base44's default table configuration may not enforce access restrictions, or the access rules were misconfigured during setup. Anyone who discovers the API endpoint or inspects network requests can pull all records from any table.
You might discover this when a user reports seeing other users' data, when you find your data indexed by search engines, or during a security review that reveals all tables are open.
Error Messages You Might See
Common Causes
- Default table permissions left open — Base44 tables are created without row-level or table-level access restrictions enabled
- No authentication required for read operations — The data API allows GET requests without any auth token or session
- API endpoints exposed in frontend code — Network requests visible in browser DevTools reveal direct database query endpoints
- Access rules only on UI, not data layer — Page-level restrictions hide the UI but the underlying data endpoints remain accessible
- Admin tables not separated — Sensitive admin data lives in the same unrestricted tables as public content
How to Fix It
- Audit all table permissions — Go through every table in your Base44 dashboard and check who has read, write, and delete access
- Enable authentication on all data endpoints — Require a valid session or API token for any data read or write operation
- Implement row-level access — Configure rules so users can only read and modify their own records
- Separate public and private tables — Keep truly public content (blog posts, product listings) in separate tables from private data (users, orders)
- Test as an unauthenticated user — Open your app in an incognito window and check what data you can access without logging in
Real developers can help you.
rayush33
JavaScript (React.js, React Native, Node.js) Developer with demonstrated industry experience of 4+ years, actively looking for opportunities to hone my skills as well as help small-scale business owners with solutions to technical problems
Krishna Sai Kuncha
Experienced Professional Full stack Developer with 8+ years of experience across react, python, js, ts, golang and react-native. Developed inhouse websearch tooling for AI before websearch was solved : )
MFox
Full-stack professional senior engineer (15+years). Extensive experience in software development, qa, and IP networking.
BurnHavoc
Been around fixing other peoples code for 20 years.
Bastien Labelle
Full stack dev w/ 20+ years of experience
hanson1014
Full-stack developer experienced in fixing and deploying AI-generated apps from Lovable, Bolt.new, Cursor, and Replit. I specialize in debugging Supabase integration issues (auth flows, RLS policies, database connections), fixing broken deployments, resolving routing/blank screen problems, and cleaning up messy React/Vite codebases. I also build production apps with the Claude API and have shipped a Mac desktop dev tool (Nexterm from scratch. Based in Hong Kong, fast turnaround.
ISHANTDEEP SINGH
Senior Software Engineer with 7+ years of experience in React, JavaScript, TypeScript, Next.js, and Node.js. I’ve also worked as a tech lead for startups, owning end-to-end technical execution including architecture, development, scaling, and delivery. I bring a strong mix of hands-on coding, product thinking, and technical leadership, and I’m comfortable building products from scratch as well as improving and scaling existing systems.
Matt Butler
Software Engineer @ AWS
Anthony Akpan
Developer with 8 years of experience building softwares fro startups
Victor Denisov
Developer
You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.
Get HelpFrequently Asked Questions
How do I check if my Base44 tables are publicly accessible?
Open your app in an incognito browser window without logging in. Try accessing data pages or inspect network requests in DevTools. If you can see table data without authentication, your tables are public.
Can I restrict access to specific fields within a table?
Base44 typically allows table-level and row-level access rules. For field-level restrictions, you may need to create separate tables for sensitive fields and apply stricter access rules to those tables.