Security Policy

What is Security Policy?

This panel as a part of your instance settings enables certain security measures that you might need to ensure data integrity / safety, or for compliance reasons. This can include things like enforcing inactivity logout, authentication services, 2FA, or SSO.

You can access the Security Policy panel by heading to your instance selection screen, clicking the ⚙️ icon next to your instance, and choosing Security Policy from the panel that opens.

Accessing the Security Policy panel

For All Paid Plans

Certain security policy settings are available for all paid Xano plans, and include the following:

Allow Direct Query

This setting determines whether or not use of the Direct Database Query function is allowed in your function stacks.

Why would you want to disable Direct Query?

Direct Query enables you to not only run basic database functions, such as adding or updating data, but also enables access to more advanced and potentially dangerous SQL statements. Disabling this function helps ensure that team members can't execute functions that they shouldn't be.

Redis Key Isolation

This setting determines whether or not keys you set using caching functions are available in other workspaces.

Why enable Redis Key Isolation?

This can be especially important if you have different team members who have access to different, isolated workspaces. Key Isolation helps ensure that in the rare case separate teams use the same keys that there isn't a conflict.

Premium Features

Inactivity Logout Time

This setting enables automatic logout of Xano due to inactivity for all team members. If enabled options range between 1 to 24 hours.

Require 2FA

This setting enforces all team members of your Instance to authenticate using 2FA when logging into Xano.

Authentication Enforcement

This setting optionally enforces which authentication service(s) team members can authenticate with.

Allowed SSO Hosts

This setting enforces the email address domains allowed when team members log in. For example, if we wanted team members to only authenticate using Github accounts that use a xano.com email address, we would check Github under Authentication Enforcement and add xano.com as an allowed SSO host.

IP Address Allowlist

This setting enforces certain IPs allowed to access your Xano instance and call your APIs

IP Address Denylist

This setting enforces denying IPs allowed to access your Xano instance and call your APIs

Last updated

Was this helpful?