Bits of your Bubble app you might not know are public

Okay, well public = dead easy to find by the /meta URL.

If not public, I’m almost certain there’ll be a way to find out either a list of all backend workflows, or the name of a backend workflow scheduled using schedule API workflow.

I can’t check right now as I’m in a plane that’s hopefully going to take off but I endeavour to find out a method to see non-public BE workflow names/endpoint URLs when I’m back :saluting_face:

Never use obfuscation (making it hard to find or understand) as a sole security measure - especially with Bubble, where all apps share the same blueprints.

2 Likes

Let me know what you find!

And yeah, I don’t think obfuscation works on its own obviously, but I also think it’s a good thing when combined with server-side conditions on server-side actions + privacy rules.

Curious if you found anything @georgecollier . Was also wondering about parameters used in backend workflows, would be nice to know if these are exposed client side or not.

Yes, you can find the backend workflow name even if it is not public. It is in the static.js file on every page load.

I was not able to find the parameter but I would assume that would be public too.

1 Like

Can you confirm that you can find it WITHOUT running in the test version? My test version is protected. I checked the live version and the static.js file didn’t have the name of my backend workflows, but the debug/test version did.

Edit: I checked again, and it seems that for the non-test version of your page, Bubble obfuscates backend workflow names, but leaves the parameter names public.

This is a great post and something that folks like myself need to be made aware of. I’m starting out and this is essential to know.
Thanks

2 Likes