Bubble Docs
Ask or search…

Security checklist

Before reading this article, keep in mind that a checklist can’t cover all possible security scenarios or threats. Consider it a useful starting point but remember that your app is a unique project that may warrant additional security measures not covered here.
We recommend reading our in-depth guides, continuing to educate yourself on Bubble app security best practices and get in touch with our Success team if you have any questions. Ensuring the security of your app is ultimately your responsibility, but we will do our best to provide you with the resources you need.
In this section we will cover many of the typical points that need to be checked and re-checked as your app goes through the first and continued deployments.


  • Plan the different parts of your security structure before you start building:
    • Data types
    • Pages
    • User roles

Bubble account security

  • Use a strong password
  • Enable two-factor authentication (2FA)
  • Create and maintain a password and 2FA policy for all collaborators

App access security

  • Don’t give collaborators more access than they need
  • Remove collaborators that no longer need access
  • Maintain a policy for access to the live database


  • Add privacy rules to all private data types
  • Use Only when conditions to protect data from unauthorized editing in workflows or use auto-binding in combination with privacy rules
  • Be mindful of who has access if you copy your Live database to Development

Page security

  • Don’t store sensitive data in page elements and workflows
  • Be mindful of other details that are visible in Bubble’s Javascript files
    • Name of pages
    • Name of data types and default values
    • Information stored in the API Connector
    • Names and attributes of Option sets
    • Names and strings saved in application texts
    • Use the App optimizer to remove deleted data from the code
  • Don’t store sensitive data in URL parameters

Plugins and custom headers

  • Plugins and custom headers may affect security – make sure they come from a trusted source
Last modified 5mo ago