Security Policies

This topic refers to functionality that is only available to accounts on the Quick Base Platform or Quick Base Unlimited plans. If you do not see the functionality described here, either your account or realm has not been configured to show it, or your account is not on one of those plans.

To manage security policies for your realm:

  1. On the My Apps page, click Manage name_of_realm, and then click Policies.

  2. In the Security policies section of the page, you can select the following options:

    • Prevent embedding in iframes:When checked, iframes embedding Quick Base pages (such as reports, forms, home pages, and custom code pages) from this realm display as blank. This applies whether the iframe is attempting to display an embedded view of an app on the quickbase.com domain, or on an external website.
    • Prevent external redirects:When checked, any redirects within formula fields or links are ignored if they are pointing to locations outside the quickbase.com domain. For instance, if you have a formula field set to add a new record and then send users to example.com, this redirect would be ignored. Review the following table for more information on which type of links are affected.
      You can also opt to prevent most redirects, but allow or “whitelist” certain approved sites. When you select Ignore redirects to sites outside quickbase.com, an Allow redirects to these sites box appears. Enter a comma-separated list of hostnames in this box using the example.com,example.org format without including www. or http://
    • Control new users: When checked, if new users are invited to apps, they will require admin approval before any app access is allowed.
    • User Tokens: Enter the number of apps per user token. If left blank, it defaults to 20.
  3. Click Save at the top of the Policies page.

Tip: Verify your hostnames when you enter them and do not enter www. or http://


Type of link Example URL Formula Affected? What will happen with the setting turned on? Why?
Single link on the quickbase.com domain URLRoot() & “db/” & [DBID_PROJECTS] & “?a=API_AddRecord&ticket=auth_ticket&apptoken=app_token&_fid_25=Completed” No Will work normally This is an internal link, which does not contain a redirect
Single link outside the quickbase.com domain “https://www.yourcompany.com/home” No Will work normally This is an external link, but it does not contain a redirect.
Link on the quickbase.com domain, then redirect to a second link on the quickbase.com domain URLRoot() & “db/” & [DBID_PROJECTS] & “?a=API_AddRecord&ticket=auth_ticket&apptoken=app_token&_fid_25=Completed” & URLEncode(URLRoot() & “db/” & [DBID_PROJECTS] & “?a=q&qid=1”) No Will work normally This link does contain a redirect, but it redirects to a page on the quickbase.com domain.
Link on the quickbase.com domain, then redirect to a link outside the quickbase.com domain URLRoot() & “db/” & [DBID_PROJECTS] & “?a=API_AddRecord&ticket=auth_ticket&apptoken=app_token&_fid_25=Completed” & URLEncode(“https://www.yourcompany.com/home”) Yes The new record is added, then the standard XML response page is displayed. This link contains a redirect, and the page it redirects to is external to quickbase.com
Link outside the quickbase.com domain, then redirect to another link outside the quickbase.com domain "https://www.yourcompany.com/home?redirect=" & URLEncode(“https://www.yourcompany.com/news”) Yes The home page of yourcompany.com is displayed. This link contains a redirect, and the page it redirects to is external to quickbase.com