Skip to main content
All CollectionsSecurity & ComplianceFlusk
How do I fix the Public Sensitive URL in API Call issue flagged by Flusk?
How do I fix the Public Sensitive URL in API Call issue flagged by Flusk?
Updated today

This issue arises when accessing an API utilizing an endpoint URL that may be sensitive by itself. We use AI to determine the sensitivity of the requested URL, and we flag it as an issue for you to review whether it should be left public.

By default, the endpoints that you call in your API calls are not private and can be accessed by anyone who knows where to find them. While this may not be a significant issue when using third-party services that require additional authentication to access data, it can be a concern when calling an endpoint that doesn't require authentication (such as an internal Xano endpoint or a private server or any other platform that doesn’t use authentication.)

In these cases, you may not want anyone to know the exact URL, as the server may not be adequately secured for external access. Your security efforts are usually measured by your least secure component.

Predict AI

To determine whether an URL is safe or sensitive, we use a custom AI model that relies on two factors.

  1. Does the API require authentication for this endpoint? If so, we don't trigger the issue.

  2. Is the API totally safe - like a favicon fetcher or a public Google endpoint? If so, we don't trigger the issue.

Solution

To protect the URLs of your API calls, you can use a workaround that involves treating the endpoint URL as a private parameter in the API call. This will help to conceal the URL and keep it private.

Here is how it looks before using the workaround:

And this is how it looks now:

Our URL is now considered as a private parameter, and it won’t be possible to see it from the front-end pages of our app. Do not forget to check the « Private » box.

If you think this URL is not sensitive, you can ignore this issue.

Did this answer your question?