From what I know, at the moment you have an header in API Connector, the call is processed server side not client side. The call should be secure. There’s an option in API Connector to make the call on client side, but this only apply if you don’t have any header.
Shared HTML header stuff in plugin editor should not be used in 95% of plugins case. This will all header to all app pages even if the plugin is not used in this page. For the additionnal key in the shared section, you need to select public or private. Private key cannot be used in element or client side actions if I remember.
Pls, explain. Does the API-Connector, which most templates use, automatically secure the result of a LLM? How? I ask because the results can be anything from plain text to markdown, HTML, Python code or SVG’s. You can test this in any Bubble ChatGPT template.
the api connector secures your secret keys by not exposing them to the client. the result data fetched with it can be used securely or not. If you insert the data in a bubble’s text element it’s ok. if you use it in an html element you are back to a security issue.
your example exposes secret keys to the client and inject the result directly in the page. both things are security issues, so it’s not great to have that as an example of a tip.
using fetch directly is a good thing but it takes a lot more to do it properly. of course you are free to use any example as a tip, even something against best practices, if you are happy with that
