Why your API connector calls are public

Here’s something useful to know about the API Connector that isn’t widely talked about, and isn’t particularly intuitive: when you set up an API call, the initial response gets saved in your app’s code. This means if your test response contains any sensitive data, it becomes part of your app’s client-side code.

So, what content in your API Connector is public?

Anything not marked as private, is public.

Assume that anything not in a parameter marked as private is public. Sounds obvious, doesn’t it? The screenshot below shows which data is public in this API call. Red is publicly visible, and green is private.

  • URLs
  • body structure
  • any sample values in parameters that aren’t private
  • names of non-private parameters

Your API response is public

This is the one that gets people. When you initialise the API call, the entire response is stored in the app code.

I (and NQU Secure) have found admin API keys, highly personal customer data and more lying around in apps that weren’t aware of this vulnerability.

How It Works

When configuring the API Connector:

  1. You make a test API call to set up the response structure
  2. Bubble saves this response in your app code
  3. This saved response becomes accessible as part of your app’s static content

What To Consider

If your test API response includes:

  • Customer information
  • API keys or tokens
  • Internal configuration details

These will be stored in your app’s code. While this isn’t always a problem, it’s smart to use sanitised or test data.

Solution

The fix is straightforward - just ensure your test response doesn’t contain sensitive information while maintaining the same structure. This means:

  1. Using placeholder data in your test response by changing any response values to ‘example’ or ‘null’.
  2. Keeping the response structure identical
  3. Saving this clean version as your default response (use ‘Manually enter API response’.

Fixing it quickly

To make this process easier, I’ve also created a free tool (no signup required) on NQU Secure that automatically sanitizes API responses while preserving their structure. You can try it out on the homepage without any account - use to your heart’s content.

CleanShot 2024-12-19 at 13.12.10

8 Likes

can you upload a video, the gif is too choppy and fast to see what is happening.

oh, cool…so just need to copy the initial response, change the values of parameters and then paste back in and save. Awesome tip.

1 Like

Yes. If you’re initialising a new API call, you’ve got to save it, then re-click Manually enter API response rather than just ‘edit raw data’. That’ll make sure type info is preserved.

And yes, I’ve built a feature that automates this in one click for all API calls, but I bricked my app while building it and don’t want to risk doing that to yours hence it’s not released :slight_smile:

“move fast and break stuff”…has served some billionaires well in silicon valley, for me personally moving too quickly has always cost me 2-3 times as much time if I had just gone a bit slower, as the time it took to break something, figure out why, then redo without breaking.

2 Likes

Yeah, well I’m taking the slow approach here haha.

By brick my app, I mean brick it so that not even the editor loads and I can’t restore from a savepoint. I had to unbrick it by reverse engineering how I bricked it :rofl:

That’s actually why I built the backup feature. Before we make any change to your app (we support some basic config auto-fixes) we take a backup. And then I was like, well, might as well put the little bit of effort in to let you backup whenever you want, on a schedule.

If you can think of any other micro-tools that would help with your security or building in general then do let me know and I’ll build them.

1 Like

Thanks for this latest security tip. It’s a very valuable series.

Indeed, this was the most revelatory issue when I first ran NQU Secure earlier this week. It’s really helpful that you’re surfacing these unknown unknowns. Ideally, such issues wouldn’t be overlooked in Bubble’s implementation in the first place; however, given that they’re present and can be worked around, they should have been noted in the manual long ago (here’s another opportunity for improvement, @petter).

1 Like

Just leaving this here - I added bulk API call sanitisation to NQU Secure. You can easily sanitise your entire API Connector in a few seconds rather than going through it all manually.

CleanShot 2025-01-08 at 21.00.51

1 Like

Wowza, thank you. What a contribution.

I wonder: does the bubble community see how much @georgecollier is helping here?

1 Like