SurrealDB is secure by default and is suitable for all database use cases. It offers powerful features like scripting, functions or network access from within your SurrealQL queries. For the strongest security, SurrealDB doesn’t allow most of these features by default and instead lets the administrator allow them as needed per use case.
When a query wants to use a capability that is not allowed, SurrealDB will reject it.
This rejection will also be logged in the SurrealDB server.
In production deployments, we recommend denying all capabilities by default and specifically allowing only those required.
surreal start --deny-all --allow-funcs "array, string, crypto::argon2, http::get" --allow-net api.example.com:443
You can learn more about best practices when using capabilities in our Security Best Practices guide.
By default, all capabilities are denied unless allowed. Some few capabilities (e.g. functions) are allowed by default.
Capabilities can be configured globally (e.g. --allow-all, --deny-all), generally (e.g. --allow-net, --deny-funcs) or specifically (e.g. --deny-net 192.168.1.1, --allow-funcs string::len). When capabilities are configured, the more specific capabilities prevail over the less specific. At the same level of specificity, denies always prevail over allows.
Capabilities configured generally prevail over those defined globally:
--deny-all --allow-scripting will deny all capabilities except for scripting.--allow-all --deny-net will allow all capabilities except for network.Capabilities configured specifically prevail over those defined globally or generally:
--deny-all --allow-net example.com will deny all capabilities except network connections to example.com.--allow-all --deny-funcs http will allow all capabilities except for calling functions of the http family.--deny-funcs --allow-funcs string::len will deny all functions except for string::len.--allow-net --deny-net 10.0.0.0/8 will allow all network connections except to the 10.0.0.0/8 block.Capabilities denied specifically prevail over those allowed specifically:
--deny-funcs crypto --allow-funcs md5 will deny all functions of the crypto including crypto::md5.--allow-funcs crypto --deny-funcs md5 will allow all functions of the crypto family except for crypto::md5.List of options for allowing capabilities:
| Option | Description | Default | |
|---|---|---|---|
-A, —allow-all | Allow all capabilities except for those more specifically denied like experimental features | False | |
-A, —allow-arbitrary-query | Denies arbitrary queries to be used by user groups. Possible user groups are: ‘guest’, ‘record’, and ‘system’. | False | |
—allow-experimental | Allow the usage of one or more experimental features (current experimental features are GraphQL and Record references). Possible values are | None | |
—allow-funcs [<target>,…] | Allow execution of all functions except for functions that are specifically denied. Alternatively, you can provide a comma-separated list of function names to allow | None | |
—allow-guests | Allow non-authenticated users to execute queries when authentication is enabled | False | |
—allow-net [<target>,…] | Allow all outbound network access except for network targets that are specifically denied. Alternatively, you can provide a comma-separated list of network targets to allow | None | |
—allow-scripting | Allow execution of embedded scripting functions | False | |
List of options for denying capabilities:
| Option | Description | Default | |
|---|---|---|---|
-D, —deny-all | Deny all capabilities except for those more specifically allowed | False | |
-D, —deny-arbitrary-query | Denies arbitrary queries from being used by user groups. Possible user groups are: ‘guest’, ‘record’, and ‘system’ | False | |
—deny-funcs [<target>,…] | Deny execution of all functions except for functions that are specifically allowed. Alternatively, you can provide a comma-separated list of function names to deny | None | |
—deny-guests | Deny non-authenticated users to execute queries when authentication is enabled | False | |
—deny-net [<target>,…] | Deny all outbound network access except for network targets that are specifically allowed. Alternatively, you can provide a comma-separated list of network targets to deny | None | |
—deny-scripting | Deny execution of embedded scripting functions | False | |
Guest access is used when you want to expose certain parts of a database to non-authenticated users. It’s useful when you want to serve datasets publicly and still require authentication for the rest of the system.
Even when this capability is allowed, a guest user can only execute functions or data operations like SELECT, CREATE, etc, and only if the PERMISSIONS clause for the resource being used in the query allows it.
SurrealDB offers built-in functions to perform common operations like string manipulation, math, etc. Users can also define their own functions with custom logic.
In certain environments, you may not want users to use specific functions (i.e. http::*) or execute any custom function at all. You can use the allow/deny lists to configure what functions are allowed and what functions are denied.
SurrealDB offers http functions that can access external network endpoints.
If you want to allow or deny access to certain network target, you can configure the network options accordingly. Here are some examples:
Available since: v2.2.0
The --allow-arbitrary-query and --deny-arbitrary-query allows database administrators to allow or deny arbitrary quering by either guest, record or system users, or a combination of those. This capability settings affects the following: /sql endpoint, /key endpoints, /graphql endpoint and RPC methods use, select, create, update, merge, patch, delete, relate, insert, insert_relation, query and graphql.
Endpoints that do not accept arbitrary queries such as /version and authentication endpoints are not affected.