100% secure communication with backend?

Hello! reading the below referenced conversation I understand the following:

From nowhere in weweb are we able to make a 100% protected backend communication?

Not from the supabase plugin
Not from the OpenAi plugin
Not from the REST API plugin

So even if we use Buildship for example, the proxy you mention, someone could still use the public information of the call from weweb to Buildship and do the same thing…

Can someone please confirm or correct me ?

Continuing the discussion from Is the API key in the Rest API secure?

EDIT:
Just read this in the docs:

“Nevertheless, at least in WeWeb, you could use our plugins to avoid this issue. Indeed, when you use our plugins, we store the API keys on our own servers, and proxify the API calls for you, automatically .”

So we can now safely assume that plugins are ok?
What about the REST API plugin ? is there a specific way to use it and be ok with using bearer keys etc?

EDIT 2: What happens in the case of selecting the pre-made Supabase action elements in the Workflow builder on the right of the editor screen? Are these considered frontend or “plugin safe” ?

What you can do, is limit the URLs which can invoke your backend, or protect it with Auth - I often discuss this with people during my coaching sessions (link in bio). The thing is, anything ever, not only in no-code, can be read by the end user, and information can be extracted, that’s how web (not only no-code) works. What you can do, is protect your backend, via auth, or restrictions (IP, domain etc.).

Anything you do is “unsafe” if we follow your logic. You can make it safe by using Buildship or Supabase with RLS.

You can route your credentials through Supabase/Xano/Buildship, which indirectly calls the API and obfuscates the keys.