What is the security dashboard?
The security dashboard (formerly Flusk) is a tool that integrates with your Bubble app to provide automated threat detection, security monitoring, and observability. It surfaces vulnerabilities, monitors user experiences, and provides real-time error tracking — so you can protect your app and end-users from threats while staying compliant with industry standards.
You don't need a dedicated security team to use it. The dashboard and its alerts are designed to be easy to understand whether you're technical or not.
Is it included in my Bubble subscription?
Yes — access to the security dashboard is included starting from the Starter plan. For a full breakdown of which features are available on each plan, check the Bubble manual. Agency account holders also have access — view the full feature list for your plan here.
How do I get started?
Sign in with your Bubble credentials at scan.bubble.io. Access begins with the Starter plan.
What does the security dashboard test for?
The security dashboard tests for Bubble-specific privacy vulnerabilities, including:
Missing privacy rules
Sensitive data exposed in workflows
Unsafe API call configurations
For the full list of security checks, see the Bubble manual.
How does it process my app's data?
The security dashboard is designed to minimize exposure to your app's data. Here's what it does and doesn't do:
Mainly uses publicly accessible data — it fetches the public JSON application file of your app, which only contains information about its structure
Never accesses, fetches, or copies data from your app's database. You can also revoke database access from within the security dashboard
Requires all app owners to verify ownership, so the tool can't be used to scan other people's apps
Avoids using customer data for security tests whenever possible — field sensitivity, for example, is assessed from field names and context only
Never stores customer data on its servers — any data used during a check is deleted immediately afterward
How the scan works
Each security test follows these steps:
First API call to get all the pages of your application
Fetch the JSON Object of each page
Analyze the public content of each page
Analyze the public global properties of your app
This extracts all front-end data (public and viewable by anyone) as a JSON object, which is then passed through the security algorithm to look for vulnerabilities across every page.
Will it slow down my app or use Workload Units?
No on both counts. Security checks run in the background and have no impact on your app's performance or your Workload Unit (WU) usage.
Should I use it if I have an external backend?
Yes — especially if you're using an external backend like Xano or Supabase. When you use a custom backend instead of Bubble's built-in database, some security protections that Bubble normally handles natively won't apply. The security dashboard can detect issues that arise in these setups, including:
API calls to/from your external backend
Exposed API tokens
Data leaks
How do I add a collaborator?
To give a collaborator access to the security dashboard, set them as an Admin on the Bubble app first. Once they have admin access in Bubble, the app will appear in their security dashboard automatically.
Why is my application pending verification?
When you first connect an app, it may show a "Verification pending" status that temporarily prevents you from running tests or viewing issues. This is a security measure to prevent the tool from being used to scan other people's apps.
Verifications are usually reviewed within a few hours.
How do I find my App ID?
Your Bubble App ID is the unique name you gave your app when you created it. You can find it in two places:
In the URL of your app editor, just after id= — for example: bubble.io/page?name=index&id=yourappid&tab=tabs-1
In your preview URL before .bubbleapps.io — for example: yourappid.bubbleapps.io/version-test?debug_mode=true (only if you don't have a custom domain)