Forum Academy Marketplace Showcase Pricing Features

[Demo] CryptoJS encryption (e.g. HMAC) using Env variables

Made a quick demo to set up CryptoJs encryption in seconds using the Env variable plugin.

If you’re looking to implement encryption / decryption using cryptographic algorithms e.g. HMAC-MD5, HMAC-SH256, AES etc. will find it useful.



Nice! Binance is a go!

1 Like

Haha yeah. Infact you could use their library directly I think

I’m building an new kind of orderbook as we speak. Was going to integrate direct trading as well, this was the last piece of the puzzle. You solved it.

1 Like

@gaurav I think you have a responsibility to highlight that doing encryption this way exposes the secret to the browser, so it is applicable to fewer scenarios than people are assuming.


Be aware that this plugin will only work while the user is on a page, not sure how authentication or delayed processes would work for that.

@mishav here’s my understanding

  1. Every single client-side plugin on bubble (which at this point is all plugins) need to disclose the same. This plugin isn’t any different in terms of security such as your Toolbox or Zeroqode’s CryptoJS plugin
  2. Bubble doesn’t support external libraries on the server-side plugins. So if anyone is claiming they can encrypt it server side it’s likely that the keys are being sent to their server which is a way bigger risk
  3. The secret generation in this case can be used as interim step to making the subsequent call and then the variable can be set to blank again.

So I think in general it’s probably responsible to disclose from the plugins tab for all client side plugins rather than this specific one that everything is exposed to the browser.

Nearly true, there are some server plugins already.

Yes I agree, and the same goes for Bubble’s crypto functions on text format, it even has a warning about not using it on a page expression.

Apart from Bubble’s functions which work in API workflows, yes other implementations are either sending to a server, or coding encryption without using standard libraries.

Sending to another server is not a great risk, if:

  • https and POST is used and nothing secret is in URL parameters.

  • the app owner has the option of ownership of the server space, and control of who has access. The secret can even reside on the server in this case.

This is equivalent to leaving it out in the open, from the point of view of scraper web bots.

I agree, and I have made similar warning comments for the other plugins where people are using them this way.

This specific topic you are demonstrating how to do cryptographic functions on the client, which is only fine if the secrets used are okay to be publicly known, or known to the user with access to the page. This would be a fairly unusual use case, as I’ve seen so far.

Well done for doing the research and presentation, hopefully we can convince Bubble to open up access to server side cryptographic functions or be able to write our own.


I don’t see the point of this. If you’re using a server space anyways, why use a bubble plugin at all then. Instead just write the code on server space and make an api call to have server do the work and receive the output. Its’ actually much faster and flexible than doing this stuff in bubble

I’m not sure that’s accurate. If you’re referring to the values in the demo that are taken from input, that was just for demo. What would actually happen is that it would be saved in database, protected by privacy rule and be used directly in the Run JavaScript function. Regarding the use cases, it really is up to the developer to decide. After all, crypto js has a client-side library for a reason.

Thanks! Yeah I think its going to be a pretty tricky subject on their end from point of view of security & load balancing of their own cluster. Without ability to use node libraries though, I dont really see the point of server side actions personally. I’d love to know some example use cases where this has helped.

Agreed, this way of doing it is pretty standard by now.

Pulling the values to run in javascript exposes them to the browser, and thus no longer protected.

But your demo suggests an insecure use case …

I suggest you read up more on cryptography in the browser if you find my words unconvincing.

Interesting you mention that, I already had Bubble fix a kinda huge security flaw on server side, hopefully only small flaws remain.

As I mentioned earlier, that’s for every single plugin’s code. Any alternative solution other than not doing it in bubble?

Thanks for the advice. The demo is intended to be a demo for encryption decryption in the browser. I’m not debating on whether client side encryption / decryption is better than other forms or not. Fwiw, its also quite a norm now a days to have server side breaches exposing not one but millions of client data. There’s security in various forms and nothing is fully secure. I’m not claiming to be a security expert or anything at all btw.

Cool. Good to know.

While I loved the demonstration, there’s this “maxima” that says “client side is not the place to do security”. For demonstration purposes this is good, just tell people to not send a credit card number on this and it’s all good.

No need to discuss that much :sweat_smile:

Yeah I’ve been wanting to make that edit since @mishav’s first post but the bubble apps are down since :frowning:



1 Like

@gaurav @mishav, if we asked the bubble team to develop a more secure server side encryption action (like AES 256), would you be willing to sponsor or know of anyone else who would be?

Thanks for taking the initiative! I personally implement my server side code using serverless platforms like webtask / aws lambda / azure functions etc. I just find it easier as it doesn’t burden the bubble application with more stuff to do and is fast. is also free to a pretty good extent btw.

However there are others who might be interested in sponsoring a more off-the-shelf solution.

Hi @gaurav, if you have a few names of folks that would be interested in sponsoring a bubble solution, please PM me their names.

Thank you -

Hello. I went to the demo page, but the plugin doesn’t convert anything. He does not work?