Bubble.io Security Scanner

DevTools panel that scans exposed Bubble.io app JSON for security vulnerabilities and data leaks.

**What Bubble.io Security Scanner does?** Bubble.io apps expose a client-side JSON object that contains API keys, workflow logic, database schema, page names, and more. This extension extracts and analyzes that data to surface security risks that are visible to anyone who knows where to look. **Key features** 1. API Connector Analysis Scans every API connector call and classifies them by risk level. High Risk flags exposed authorization headers, Bearer tokens, and API keys. Medium flags body or URL parameters with data. Safe confirms everything is properly privatized. You can test any call live inside the extension without leaving the browser. 2. Google Maps API Key Checker Extracts the Google Maps API key from the app and tests it against 8 Google APIs to check whether it is restricted to specific domains. An unrestricted key can be used by anyone, leading to unauthorized usage and unexpected billing. 3. Page Accessibility Auditor Checks every page to determine whether it enforces a server-side redirect (HTTP 302, secure) or a client-side redirect (HTTP 200, insecure). Also captures all Fetch and XHR network requests made on each page and automatically highlights any personally identifiable information found in responses, including emails and phone numbers. 4. Data API and Swagger Explorer Fetches the Bubble app's public Swagger specification, parses it, and renders the full backend API surface including all workflow endpoints and data type endpoints. Endpoints can be tested live inside the built-in Swagger editor. **How it works** Open Chrome DevTools on any Bubble.io app, navigate to the Bubble Scanner tab, and click Scan Page. The extension reads the publicly accessible app object, analyzes the configuration, and returns findings ranked by severity, Critical, High, Medium, Low, and Info. **Privacy** This extension operates entirely in your browser. No data is collected, stored, or transmitted to any external server. All analysis happens locally. **Intended use** This extension is intended for security researchers, Bubble.io developers auditing their own apps, and agencies performing security reviews of apps they are authorized to assess.