Hi,
I would like to build a system for human resources managers to track employee training. The system will not contain sensitive data but will allow the user to trigger paid training courses and contain employee names - so it needs to be secure.
Does anyone know if memberstack is suited to this? I have the firebase tutorial from 2018 and am about to run through them, I jsut wanted to see if I am on the right track. Thanks!
My recommendation is to go with Webflow + MemberStack + Zapier as your stack. This will get what youāve described.
Iāve got a screencast that will walk you through the fundamentals of this setup for you (along with more advanced ones on the same site):
Drop any questions in this thread and let me know if this points you in the right direction.
@DrNinjamonkey you can use the stack that @ChrisDrit suggested and at any point add firebase on top of it in case you need to store sensitive data or data types Memberstack doesnāt include.
Thanks Chris, I actually had your guide open as a place to start!
My main question about memberstack is this - if someone tech savvy plays around with the console / turns off javascript, can they mess with users data?
Training progress, paid tests etc will be tied to an employee name and although it isnt banking details it still needs to be confidential. Can MS do that?
I would reach out to MemberStack support with questions like that, Iām not the right person to be answering them. I can help with setup and architecture, Iām really good at that, but when it comes to PII specific needs speak to MS directly. Hope that helps!
@DrNinjamonkey ā please DM me and Iāll get you connected to the right folks on the team 
Itās an important question as Iāve recently learned that weāre talking about āHidden Contentā in some cases here, creating some reluctancy on my use-case.
Whatās considered āsensitive contentā? In the Memberstack demo, they share āContractsā (files) that are client-specific. Perhaps Iām not the only one who considers client contracts sensitive?
Maybe @DuncanHamra can help provide some insight.
Well, I was doing some research for the company Iām working with and we were testing the security of memberstack. I was able to break into all the websites that are on memberstack examples page, and was able to access all the hidden pages for those websites.
So, if youāre dealing with sensitive information, donāt use purely Webflow and memberstack since they only take care of the front end. You need a server side solution for sensitive data (Firestore + Security Rules for example) if you really want to secure your data
Unfortunate to hear, can you provide any proof that you were able to 'break into all the websites"? Not doubting you but itās easy for anyone to state that here.
With that said, have you used any alternative setups? Iāve been checking out Firebase as an alternative.
I totally understand haha Iām definitely getting you a video as soon as I get my hands on my PC. I wonāt share how I do it, in order to not make it easier to those Ill intentioned.
And yep, we ended up going with firebase for our whole app and not even touch memberstack. This made sense to our app because we were going to use pretty much everything that firebase offers (authentication, hosting, database and cloud functions)ā¦ your needs might be a bit different, so Iād recommend you to look around for what makes the most sense to your needs
@mattk83 There you go mate 
Link> Loom | Free Screen & Video Recording Software | Loom
DISCLAIMER: I never did and never will use this type of knowledge to do bad things. This demo is intended to show the limitations of Memberstack and raise awareness for users that have extremely sensitive information being hosted in a website that uses any type of front-end-only authentication.
Very interesting.
In terms of your Firebase setup, will it allow similar functionality in order to store ācontractsā for a given user/account?
Ideally Iām looking to setup Clients and Users, where a Client is a reference field for Users, so I can have multiple Users who belong to a Client view the same data (without sharing login details).
I certainly need to share things like Contracts, Data Metrics (via a 3rd party embed), and āTasksā at the least.
You are probably referring to some videos I made in 2018. These are out of date now but the principle of how you can use Firebase and Webflow together is still the same. However I wouldnāt suggest anyone use this approach to build a real world production app. A quick and dirty MVP, sure, but there are major limitations with this approach for anything serious. Think of those videos more as information on how you can play around for fun.
To add to the comments about Memberstack above, the Memberstack guys themselves make it pretty clear on their website that they canāt securely gate content:
Also AFAIK they have never claimed that they can, so there is nothing to debunk there. They openly admit that itās not actually secure.
The only way you can have real secure content with Webflow is to load that content after the page loads, and your back end will need to verify the userās token. Which it looks like they are working on.
Would you mind elaborating on this?
Sure I wrote an article outlining the biggest limitations here.
Hi Jason, your videos really helped me start with Firebase so thanks for that.
Iām currently learning svelte and working with a friend to build components in that, I was wondering if you have used it before? So far Iām pretty happy with it and it works well inside webflow.
Glad you enjoyed them. Iāve only ever played with Svelte, Iāve never built anything production with it. Seems pretty good but personally I wasnāt a fan of having to learn another syntax. React is much closer to vanilla JavaScript which makes sense to me.
Has anyone here ever tried Caspio for secure access and CMS?
Looking at it now, since you mentioned it - interesting though could be a higher cost than I could justify for a dozen clients, even the need is features that arenāt offered in the first two plans.
Your right. I used it initially for a statewide health company. It worked very well, but with HIPAA compliance it was $1000 a month just for the Caspio plan. Eventually rebuilt the web apps using a different no-code service.