Community

Security of rest endpoint used by Everyone (public) Survey123 form!

274
1
Jump to solution
11-30-2023 07:06 PM
ECarson
by
New Contributor II
‎11-30-2023 07:06 PM

Hi,

I'm interested in the Survey123 form with Everyone (public) enabled.

I'm happy with the form controls and how this guides the user to input the right information.

However, the rest endpoint to the view layer is exposed to the public. Am I right in that anyone with some knowledge could just started adding records via the rest endpoint outside of the correct form controls?

Is there anyway to restrict the rest end point so only suvery123 can see it or is there a way to restrict only records summitted via survey123 to be added?

Any help or guidance on this would be beneficial.

Regards,

Elliott

 

0 Kudos
1 Solution

Accepted Solutions
SimonSchütte_ct
by
Occasional Contributor III
‎12-01-2023 02:37 AM

To my knowledge:

However, the rest endpoint to the view layer is exposed to the public. Am I right in that anyone with some knowledge could just started adding records via the rest endpoint outside of the correct form controls?
-> Yes

Is there anyway to restrict the rest end point so only suvery123 can see it or is there a way to restrict only records summitted via survey123 to be added?
-> No, only by sharing it privately

There is a workaround you could use:
Add an invisible field to your survey that contains a specific value and is not visible for any other user in the form.
Then write a notebook script to look in the feature service an delete all values that were not sent directly from the survey123 app based on the hidden field value. You could then schedule the Notebook in ArcGIS Online to clean up the layer regularly.
Not sure if this is worth the effort, probably depends on your Survey and how it is being used.

+ Take a look at Limiting Access to Public Survey123 Responses (esri.com)

View solution in original post

1 Reply
SimonSchütte_ct
by
Occasional Contributor III
‎12-01-2023 02:37 AM

To my knowledge:

However, the rest endpoint to the view layer is exposed to the public. Am I right in that anyone with some knowledge could just started adding records via the rest endpoint outside of the correct form controls?
-> Yes

Is there anyway to restrict the rest end point so only suvery123 can see it or is there a way to restrict only records summitted via survey123 to be added?
-> No, only by sharing it privately

There is a workaround you could use:
Add an invisible field to your survey that contains a specific value and is not visible for any other user in the form.
Then write a notebook script to look in the feature service an delete all values that were not sent directly from the survey123 app based on the hidden field value. You could then schedule the Notebook in ArcGIS Online to clean up the layer regularly.
Not sure if this is worth the effort, probably depends on your Survey and how it is being used.

+ Take a look at Limiting Access to Public Survey123 Responses (esri.com)