Public apps + stored sendgrid query - are input variables protected / secure?


Let's say I have a resource query in a public app that takes in send-to and from email addresses and uses sendgrid to send the email, could a public app user 'hack' this to modify the input email address variables? Example shown below.


Hi @DavidS thanks for reaching out! No, the public app user should not be able to hack your query to send to another email address.

Will you be changing the emails to be dynamic inputs, or will it remain hardcoded like your screenshot? In case it's helpful for your app, we have our general security docs here Anything inside {{ }} is JavaScript. For security purposes, all JavaScript runs in a separate iframe, on a different domain. This is to prevent JavaScript injection, such as cross-site scripting (XSS) attacks.