The Common Misconception
Many developers rely on server-side redirects as a primary security measure for protecting sensitive pages like admin panels. The conventional wisdom suggests that since server-side redirects happen before page load, users can’t access the protected content. However, this assumption is incorrect.
Why all server-side redirects are bypassable
How Server-Side Redirects Actually Work In Bubble
- When a page is requested, Bubble typically checks redirect conditions before sending page data
- However, the page data itself (including elements and workflows) can also be accessed directly
- Malicious users can bypass the redirect mechanism by:
- Downloading the page data directly
- Rendering the content locally
- Preventing redirect execution in their browser
Real-World Attack Scenario
Consider a marketplace application with an admin panel containing a user management table. Even with server-side redirects in place, an attacker could:
- Bypass the redirect to load the admin page
- Access the user table’s underlying functionality
- Execute administrative actions like:
- Sending emails through your application
- Deleting user accounts
- Accessing sensitive user data
The attack succeeds because many developers assume the page itself is inaccessible, leading them to omit crucial workflow-level security checks.
Security Best Practices
1. Use privacy rules on non-public data always, without exception
- Implement privacy rules as your primary security mechanism
- Never rely solely on server-side redirects
- Add security checks at every level of your application
- This alone is insufficient, as just because someone can see a Thing (e.g a User) doesn’t mean they should be able to take actions on it (e.g deleting it).
- Do not forget ‘is not empty’ conditions to protect orphaned data
- Test them to ensure they work as expected (NQU Secure can help with this, details at bottom of thread)
2. Make elements invisible by default on sensitive pages
- Set page elements to hidden by default
- Only reveal elements after confirming user permissions
- Remember that hidden elements can still be exposed via JavaScript but it at least makes it a little harder
3. Add conditions to workflow events
- Add explicit conditions to ALL workflow events that you wouldn’t want everyone to run
Example: Current User's Role is Admin
- Apply conditions even on “protected” pages
- These should not reference page elements (e.g, you should reference
Current User's Role
, notvar - user role
, asvar - user role
can be changed.
4. Static data in the front-end (inc. workflows) is always accessible
- Never store sensitive data (API keys, credentials) in page elements
- Assume all static content that’s not in the backend is potentially accessible
- Move sensitive operations to backend workflows
The Bigger Picture
The security landscape for server-side redirects isn’t as straightforward as many developers assume. Very little documentation exists about these vulnerabilities (though @petter updated the manual today ), which has logically led to widespread misconceptions about best practices in the Bubble community. While Bubble could theoretically check permissions for every page element, this would significantly slow down page loading times – hence their choice to prioritize performance.
Auditing your apps
I’m building the most advanced security tool for Bubble - and it’s already reached that level. I’m going to be implementing checks for this security issue. You can sign up @ https://secure.notquiteunicorns.xyz for free point-in-time audits that detail issues that existing tools can’t find, and manual reviews miss. Almost every app has at least one critical issue.
We also have the only privacy rule debugger that exists for Bubble, which allows you to test privacy rules for any user type, not just logged out users.
Search and explore the data accessible to that user. No Data API or collaborator access needed.