Skip to content

Commit e62f141

Browse files
committed
Add caution around endpoint security, update fetch code snippet
1 parent ffc73bb commit e62f141

3 files changed

Lines changed: 18 additions & 6 deletions

File tree

docs/capabilities/server/http-fetch.mdx

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -70,10 +70,14 @@ Client-side fetch has different restrictions and can only make requests to your
7070
**Client-side restrictions:**
7171

7272
- **Domain limitation**: Can only make requests to your own webview domain
73-
- **Endpoint requirement**: All requests must target endpoints that end with `/api`
73+
- **Endpoint requirement**: Client-side fetches to your app server must target paths that start with `/api/`
7474
- **Authentication**: Handled automatically - no need to manage auth tokens
7575
- **No external domains**: Cannot make requests to external domains from client-side code
7676

77+
:::caution
78+
Do not treat `/api/` endpoints as private. Any user who can load your app will be able to call them directly. When changing Redis, content, settings, moderator state, or other persistent data, first check that the user has permission in your server logic. Apps with unprotected endpoints will be rejected during review.
79+
:::
80+
7781
```tsx title="client/index.ts"
7882
const handleFetchData = async () => {
7983
// Correct: fetching your own webview's API endpoint
@@ -91,7 +95,7 @@ const handleFetchData = async () => {
9195
// Incorrect: cannot fetch external domains from client-side
9296
// const response = await fetch('https://external-api.com/data');
9397
94-
// Incorrect: endpoint must end with /api
98+
// Incorrect: client fetch endpoint must start with /api/
9599
// const response = await fetch('/user-data');
96100
```
97101

versioned_docs/version-0.12/capabilities/server/http-fetch.mdx

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -70,10 +70,14 @@ Client-side fetch has different restrictions and can only make requests to your
7070
**Client-side restrictions:**
7171

7272
- **Domain limitation**: Can only make requests to your own webview domain
73-
- **Endpoint requirement**: All requests must target endpoints that end with `/api`
73+
- **Endpoint requirement**: Client-side fetches to your app server must target paths that start with `/api/`
7474
- **Authentication**: Handled automatically - no need to manage auth tokens
7575
- **No external domains**: Cannot make requests to external domains from client-side code
7676

77+
:::caution
78+
Do not treat `/api/` endpoints as private. Any user who can load your app will be able to call them directly. When changing Redis, content, settings, moderator state, or other persistent data, first check that the user has permission in your server logic. Apps with unprotected endpoints will be rejected during review.
79+
:::
80+
7781
```tsx title="client/index.ts"
7882
const handleFetchData = async () => {
7983
// Correct: fetching your own webview's API endpoint
@@ -91,7 +95,7 @@ const handleFetchData = async () => {
9195
// Incorrect: cannot fetch external domains from client-side
9296
// const response = await fetch('https://external-api.com/data');
9397
94-
// Incorrect: endpoint must end with /api
98+
// Incorrect: client fetch endpoint must start with /api/
9599
// const response = await fetch('/user-data');
96100
```
97101

versioned_docs/version-0.13/capabilities/server/http-fetch.mdx

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -70,10 +70,14 @@ Client-side fetch has different restrictions and can only make requests to your
7070
**Client-side restrictions:**
7171

7272
- **Domain limitation**: Can only make requests to your own webview domain
73-
- **Endpoint requirement**: All requests must target endpoints that end with `/api`
73+
- **Endpoint requirement**: Client-side fetches to your app server must target paths that start with `/api/`
7474
- **Authentication**: Handled automatically - no need to manage auth tokens
7575
- **No external domains**: Cannot make requests to external domains from client-side code
7676

77+
:::caution
78+
Do not treat `/api/` endpoints as private. Any user who can load your app will be able to call them directly. When changing Redis, content, settings, moderator state, or other persistent data, first check that the user has permission in your server logic. Apps with unprotected endpoints will be rejected during review.
79+
:::
80+
7781
```tsx title="client/index.ts"
7882
const handleFetchData = async () => {
7983
// Correct: fetching your own webview's API endpoint
@@ -91,7 +95,7 @@ const handleFetchData = async () => {
9195
// Incorrect: cannot fetch external domains from client-side
9296
// const response = await fetch('https://external-api.com/data');
9397
94-
// Incorrect: endpoint must end with /api
98+
// Incorrect: client fetch endpoint must start with /api/
9599
// const response = await fetch('/user-data');
96100
```
97101

0 commit comments

Comments
 (0)