Hi,
Is there any vulnerability to having sensitive data stored in a default custom state? Can someone find a way to get access to see that default value?
I need it to pass information to an action I need to populate an important password.
Hi,
Is there any vulnerability to having sensitive data stored in a default custom state? Can someone find a way to get access to see that default value?
I need it to pass information to an action I need to populate an important password.
Don’t use custom states for sensitive data, I believe it’s possible for a user to view those states using the browser dev tools
anything that is sent to the browser can be accessed by the user.
Private parameters in plugins and api connector are stored on the server and are secure
@dorilama @bryan_333 where can I find a way to store a sensitive password to be safely secured in bubble’s database and passed on the workflow that I need to add in an action
Can you elaborate your use case?
Is it just 1 passord or 1 password per user?
What do you need to do with that password?
I have a plugin that has an action that takes a secret key that is needed to generate a signature. I need to pass that secret key everytime a user needs a signature generated by my seacret key.
Is this secret key just one and you need to pass it to the plugin every time you want to generate a signature with it?
If yes it should be defined as a private plugin key to be used in a backend action. This way you input it in the plugins panel of the editor and it stays on the bubble server
No you never want to store any sensitive data in custom state, options sets, default values for data base or even inside workflows - basically whatever is on the client is untrusted.
Server = security
Cheers.
yes.
okay yes that is something that should be added by the plugin owner later on. I just wanted to find a way to do it without having access to the plugin
with bubble backend actions is safe?
Yes! As no information will be shared/hosted with/in user’s browser.
Yes, all private stuff should be handled via server actions
Server = safe.