In this section we will cover many of the typical points that need to be checked and re-checked as your app goes through the first and continued deployments.

Planning

• Plan the different parts of your security structure before you start building:

  • Data types

  • Pages

  • User roles

Bubble account security

• Use a strong password

• Enable two-factor authentication (2FA)

• Create and maintain a password and 2FA policy for all collaborators

App access security

• Don’t give collaborators more access than they need

• Remove collaborators that no longer need access

• Maintain a policy for access to the live database

Database

• Add privacy rules to all private data types

• Use Only when conditions to protect data from unauthorized editing in workflows or use auto-binding in combination with privacy rules

• Be mindful of who has access if you copy your Live database to Development

Page security

• Don’t store sensitive data in page elements and workflows

• Be mindful of other details that are visible in Bubble’s Javascript files

  • Name of pages

  • Name of data types and default values

  • Information stored in the API Connector

  • Names and attributes of Option sets

  • Names and strings saved in application texts

  • Use the App optimizer to remove deleted data from the code

• Don’t store sensitive data in URL parameters

Plugins and custom headers

• Plugins and custom headers may affect security – make sure they come from a trusted source