Are backend workflow names publicly visible using devtools?
I was just checking how do bubble apps look in devtools and all the information that is downloaded, and I saw that for my app I am able to see in the static.js file the name for all my backend workflows. However, I inspected other apps built on bubble and I didn’t see backend workflows which left me wondering if I am missing any security setting.
Is this visibility normal or am I missing additional privacy settings?
Thanks!
All publicly exposed BE workflows will be visible.
But I am seeing many workflows I do not have checked “expose as public API workflow”.
If they’re scheduled on the page (or a reusable element in the page) then they’ll be visible. All workflow logic is visible client side.
If there is any business logic in your application that is sensitive, it should be in a backend workflow, which is the only place in Bubble in which a workflow can exist without a technical user being able to find out what that workflow does.
I was testing and saw a strange behaviour.
I created a blank page, loaded it and inspected it in devtools, and backend workflow’s names are still appearing.
However, when accesing as a logged out user, the backend workflow’s name do not show.
I believe exposing only the name of a backend workflow should not compromise security, it only shows the structure of your app.
Hey @gaem400 you might be interested to know that what you can view in devtools differs slightly when logged into a session that has access to the bubble editor (e.g. the same browser/tab that has access to this app’s editor).
It can affect things like debugging page load redirects etc.
Yes, it’s normal to see workflow names in static.js. I panicked the first time too, but it doesn’t expose the logic or sensitive data, only the names. Other apps may show fewer items or have different compression. What matters is that sensitive backend steps are protected with proper privacy rules.
Thanks everyone, all is clear now!
