Is text (like an endpoint) inserted inside a custom plugin safe?

I was wondering if text inserted inside the inputs of plugin elements will be showed to the end user (if a tech savvy enough goes and searches for it).

For example with this plugin I have to insert an endpoint which is very sensible, therefore I would like to know if there is any way it could get exposed to the end user. On Bubble’s documentation it says that everything that is on the editor, except backend WFs is potentially visible. Does it apply too to plugin elements?
See screenshot:


Yes. It would be visible.

What about information in the plugin tab? That shouldn’t be visible right?

Yea those are fine just make sure to mark them as “Private” in the Shared tab, but then your plugin element won’t be able to read them because it is on the client’s browser

1 Like

I’m sorry, where do I find the shared tab? In the plugin tab there’s no way to mark them as private (as with the API connector).
Anyway, even if I found a way to mark them private, it’s useless because the plugin wouldn’t function, right?

It is this part here

You would mark that as Private to ensure they never get leaked to the client. This would be useful for like API keys or something the Bubble app owner would never want to leak out

That also means Bubble app users would never be able to dynamically fill that in so may not be what you’re looking for…

Is it just some endpoint for websockets? If so have your endpoint restricted to only allow traffic from your app’s domain, then it doesn’t rlly matter if users see it (no way around them seeing it)

I understood, but I do not have access to that because it is not my plugin and it is not open source so I cannot fork it.

I will check out the last thing you said. Thank you!

1 Like