Before reading this article, keep in mind that a checklist can’t cover all possible security scenarios or threats. Consider it a useful starting point but remember that your app is a unique project that may warrant additional security measures not covered here.
We recommend reading our in-depth guides, continuing to educate yourself on Bubble app security best practices and get in touch with our Success team if you have any questions. Ensuring the security of your app is ultimately your responsibility, but we will do our best to provide you with the resources you need.
In this section we will cover many of the typical points that need to be checked and re-checked as your app goes through the first and continued deployments.
Planning
Plan the different parts of your security structure before you start building:
Data types
Pages
User roles
Bubble account security
Use a strong password
Enable two-factor authentication (2FA)
Create and maintain a password and 2FA policy for all collaborators
App access security
Don’t give collaborators more access than they need
Remove collaborators that no longer need access
Maintain a policy for access to the live database
Database
Add privacy rules to all private data types
Use Only when conditions to protect data from unauthorized editing in workflows or use auto-binding in combination with privacy rules
Be mindful of who has access if you copy your Live database to Development
Page security
Don’t store sensitive data in page elements and workflows
Be mindful of other details that are visible in Bubble’s Javascript files
Name of pages
Name of data types and default values
Information stored in the API Connector
Names and attributes of Option sets
Names and strings saved in application texts
Use the App optimizer to remove deleted data from the code
Don’t store sensitive data in URL parameters
Plugins and custom headers
Plugins and custom headers may affect security – make sure they come from a trusted source