Regarding security headers like X-Content-Type-Options: nosniff and Strict-Transport-Security, Bubble does not currently expose settings that allow you to configure these headers. The platform's engineering team is aware of missing headers and is monitoring these vulnerabilities, but there is no immediate plan to resolve this due to potential impacts on site functionality.

We are currently a bit out of "best practice" when it comes to HTTPS in that we don't provide a special header that tells browsers this website is only available through HTTPS. However, our engineering team has expressed to us that this is more of a semantics issue. When it comes to HTTPS, we don't provide a special header that tells browsers that this website is only available through HTTPS. However, we do implement redirects to ensure that all non-HTTPS requests to any Bubble app are automatically redirected to HTTPS. As a result, it isn't possible to access apps without HTTPS.

Our engineers have noted that the best practice is to include this header and have communicated that while we work on updating it, it isn't an easy task to roll this out platform-wide, as it impacts our overall site architecture. We've added it as a project to our roadmap.