Appsmith Architecture & client vs server side rendered?

Question and Answers
1

Hi All,

I started with Appsmith and did already quite some tutorials & reading and I like it! Though what’s bugging me is that I’m not able to find an overview of the appsmith architecture, input and output. (in case it excists, I’m sorry, please provide me the link/ where I could have found it).

Main questions:

  1. for a self hosted Appsmith (‘instance? app?..’), do I need a running appsmith docker instance to A. create the app. B. use the published app. C.? Thus does a published app connect to some docker instance/ backend managed by the appsmith docker?
  2. In tutorials I see often that the visility ‘widget property’ is used, e.g. in how-to-implement-custom-authentication-on-appsmith. Is this visibility of ‘graphics/ UI objects’ server side or client side rendered? If it’s client side, am I correct that with using the browser devtools the user is able to ‘unhide’ some field that he should not be able to see (not ideal I’d say, though point 3 is more important then)
  3. Execution of queries to a backend, e.g. a database. How is the access managed? Are all queries executed client side or is there the backend in between? If so, is any user (on a public app) able to do any database query (read, write,…) himself (if he would be an experienced programmer) or…?

Thanks a lot, I’m looking forward to your responses such that I and others can understand appsmith better :slight_smile:

2

Hello! To answer your questions

  1. Yes a published app needs access to the docker instance and all queries are routed through the server on this instance
  2. This is purely client side control generally meant to help control the experience than protect from a bad actor. For security, Appsmith has access controls to allow only certain authenticated users that you invite to your organization to edit or access your applications. More granular access is available in our commercial edition
  3. All queries are executed server side with only substituting variables sent from the client. We even enable prepared statements to prevent any kind of SQL injection.

You can read about all of the security measures implemented to ensure your apps are protected in our documentation.

1 Like
3

Thanks a lot Nikhil, clear!