Member Specific Page Security Issue

Hello,

I see that you can create custom dashboards, that display Webflow CMS content specific to the user that is logged in. But I see a huge security issue for such data, since once you have the user id of someone, you could just disable all JS form MemberStack and visit the user page with the user id. Since MemberStack is the only gatekeeper of that site, once MemberStack is removed/bypassed, everyone will be able to visit the member specific page and all the data gets loaded in from Webflow no problemo.

Is there a way to handle this differently with the current version of memberstack?

Have a good one.

2 Likes

Hi Marcel!

This is a great question and one that we have a solution for :slightly_smiling_face:

On our powerups page, https://app.memberstack.io/power-ups, you’ll see a “Require Javascript” section. This section includes a small code snippet that you can add to your pages for additional security.

The code snippet includes a “noscript” tag that only executes if a browser has JS disabled.

That can be easily bypassed by having JS enabled but blocking certain requests from being made, or even just modifying the header code of the site and removing/skipping the memberstack code.

2 Likes

Hey Marcel :wave:

Memberstack is definitely not a great fit if you need to protect content that’s hosted in Webflow. That said, you can solve the problem by having members upload/store data with Memberstack - not Webflow.

I recommend reading through our security policy real quick. This part in particular:

Site Content

Hidden content - Memberstack “hides” parts of your website using redirects and CSS in the front-end. 99.9% of web goers will have no idea how to access hidden content on your site. However, we highly recommend that you DO NOT hide highly sensitive personal information using Memberstack.

Protected content - We are building system to secure content hosted on any website. Please comment on or like this thread to receive updates.

Member data - Member data, such as email and password, are secured using industry best practices. We force HTTPS, meaning data between websites and our servers is always encrypted. Data stored in our database is encrypted at rest.

Full read here.

We’re also working on ways to 100% secure content that’s hosted on any website :crossed_fingers:No ETA yet though.

Hi!

How do you give members the option to upload/ store data with Memberstack? And is this something I can upload on the backend? I would like to store client documents for them to view inside their dashboard but I want to make sure it’s secure for the client. (or, at least to know what the security limitations are in order to work around them).

Thank you!