Security Policies

This topic refers to functionality that is only available to accounts on the Quick Base Platform or Quick Base Unlimited plans. If you do not see the functionality described here, either your account or realm has not been configured to show it, or your account is not on one of those plans.

To manage security policies for your realm:

  1. On the My Apps page, click Manage name_of_realm, and then click Policies.

  2. In the Security policies section of the page, you can select the following options:

    • Prevent embedding in iframes:When checked, iframes embedding Quick Base pages (such as reports, forms, home pages, and custom code pages) from this realm display as blank. This applies whether the iframe is attempting to display an embedded view of an app on the domain, or on an external website.
    • Prevent external redirects:When checked, any redirects within formula fields or links are ignored if they are pointing to locations outside the domain. For instance, if you have a formula field set to add a new record and then send users to, this redirect would be ignored. Review the following table for more information on which type of links are affected.
      You can also opt to prevent most redirects, but allow or “whitelist” certain approved sites. When you select Ignore redirects to sites outside, an Allow redirects to these sites box appears. Enter a comma-separated list of hostnames in this box using the, format without including www. or http://
    • Control new users: When checked, if new users are invited to apps, they will require admin approval before any app access is allowed.
    • User Tokens: Enter the number of apps per user token. If left blank, it defaults to 20.
  3. Click Save at the top of the Policies page.

Tip: Verify your hostnames when you enter them and do not enter www. or http://

Type of link Example URL Formula Affected? What will happen with the setting turned on? Why?
Single link on the domain URLRoot() & “db/” & [DBID_PROJECTS] & “?a=API_AddRecord&ticket=auth_ticket&apptoken=app_token&_fid_25=Completed” No Will work normally This is an internal link, which does not contain a redirect
Single link outside the domain “” No Will work normally This is an external link, but it does not contain a redirect.
Link on the domain, then redirect to a second link on the domain URLRoot() & “db/” & [DBID_PROJECTS] & “?a=API_AddRecord&ticket=auth_ticket&apptoken=app_token&_fid_25=Completed” & URLEncode(URLRoot() & “db/” & [DBID_PROJECTS] & “?a=q&qid=1”) No Will work normally This link does contain a redirect, but it redirects to a page on the domain.
Link on the domain, then redirect to a link outside the domain URLRoot() & “db/” & [DBID_PROJECTS] & “?a=API_AddRecord&ticket=auth_ticket&apptoken=app_token&_fid_25=Completed” & URLEncode(“”) Yes The new record is added, then the standard XML response page is displayed. This link contains a redirect, and the page it redirects to is external to
Link outside the domain, then redirect to another link outside the domain "" & URLEncode(“”) Yes The home page of is displayed. This link contains a redirect, and the page it redirects to is external to


Go back

Did this help you? Give us a rating:


© 1999-2019  QuickBase, Inc.  All rights reserved.  Legal Notices.