Flusk offers a range of security verifications to ensure your app remains safe and secure. Below are some of the key security points covered by the tool, though please note that the features available to you will depend on your app plan. See a full feature breakdown by plan here.
Issue | Description | Required Permissions |
Privacy Rules Definition | Check if Privacy Rules are properly defined for each datatype |
|
Public Sensitive Fields | Check if any sensitive field (eg. user personal data) is not properly protected through Privacy Rules |
|
Database Leaks | Identify database leaks from misconfigured searches on pages, reusable elements and Data API. |
|
Page Access Protection | Check if sensitive pages (admin dashboards,...) have proper redirection. |
|
Bubble API Tokens | Managing internal API token granting full admin permissions. |
|
Bubble Collaborators | Check for any unauthorized collaborators |
|
Unsafe Google Maps API token | Check if your public Google Maps key has proper HTTP referrers |
|
API Connector Sensitive Parameter | Check for sensitive parameters in API call (eg. API key, a private unique ID, an endpoint...) |
|
Visible URL in API call | Check for sensitive URLs in API calls. |
|
Backend Workflows Protection | Check if your back-end workflow is publicly exposed. |
|
Sensitive clear data in workflows | Check if you have clear data in a login action. |
|
Assign temp password vulnerability | Check for Temporary password vulnerability to prevent their use in unintended contexts. |
|
Editor Privacy | Check if your app's editor is public to avoid displaying your app's structure (databases, tokens,...) |
|
Password Policy | Make sure your password policy is strong enough to protect your user data. |
|
Swagger Privacy | Check if your Swagger file leaks sensitive information on endpoints, parameters, or the structure of your API response. |
|
Test version protection | Check if your test version is protected by a username/password combination. |
|
Default username/password combination | Check if your username/password combination is not the default combination. |
|
Public file uploader | Make sure your file uploaders are uploading private files |
|
Public picture uploader | Make sure your picture uploaders are uploading private pictures |
|
iFrame restriction | Make sure your app doesn't allow to be rendered as an iFrame |
|