Security of rest endpoint used by Everyone (public) Survey123 form!

ECarson · ‎11-30-2023

Hi,

I'm interested in the Survey123 form with Everyone (public) enabled.

I'm happy with the form controls and how this guides the user to input the right information.

However, the rest endpoint to the view layer is exposed to the public. Am I right in that anyone with some knowledge could just started adding records via the rest endpoint outside of the correct form controls?

Is there anyway to restrict the rest end point so only suvery123 can see it or is there a way to restrict only records summitted via survey123 to be added?

Any help or guidance on this would be beneficial.

Regards,

Elliott

SimonSchütte_ct · ‎12-01-2023

To my knowledge:

However, the rest endpoint to the view layer is exposed to the public. Am I right in that anyone with some knowledge could just started adding records via the rest endpoint outside of the correct form controls?
-> Yes

Is there anyway to restrict the rest end point so only suvery123 can see it or is there a way to restrict only records summitted via survey123 to be added?
-> No, only by sharing it privately

There is a workaround you could use:
Add an invisible field to your survey that contains a specific value and is not visible for any other user in the form.
Then write a notebook script to look in the feature service an delete all values that were not sent directly from the survey123 app based on the hidden field value. You could then schedule the Notebook in ArcGIS Online to clean up the layer regularly.
Not sure if this is worth the effort, probably depends on your Survey and how it is being used.

+ Take a look at Limiting Access to Public Survey123 Responses (esri.com)

View solution in original post

SimonSchütte_ct · ‎12-01-2023

To my knowledge:

However, the rest endpoint to the view layer is exposed to the public. Am I right in that anyone with some knowledge could just started adding records via the rest endpoint outside of the correct form controls?
-> Yes

Is there anyway to restrict the rest end point so only suvery123 can see it or is there a way to restrict only records summitted via survey123 to be added?
-> No, only by sharing it privately

There is a workaround you could use:
Add an invisible field to your survey that contains a specific value and is not visible for any other user in the form.
Then write a notebook script to look in the feature service an delete all values that were not sent directly from the survey123 app based on the hidden field value. You could then schedule the Notebook in ArcGIS Online to clean up the layer regularly.
Not sure if this is worth the effort, probably depends on your Survey and how it is being used.

+ Take a look at Limiting Access to Public Survey123 Responses (esri.com)