Bubble App Security Best Practices
Bubble offers you a lot of flexibility and power - with all the building blocks Bubble provides, you can build any idea you have! But, just like if you had your idea built in code, you have to think about data security and general security of your Bubble app. Luckily, Bubble has a variety of features to help you set up the security situation you desire.
It is highly recommended that you think about security as you build your app but especially before you launch your app to actual users!!
There are a variety of security tips throughout the Docs, but here is a compilation of top things to keep in mind:
- 1.(Very important!) Privacy Rules help you specify what data a given user should be allowed to see - make sure to use them!
- 2.Be careful with how you've set up your API Connector calls - for example, always make sure that credentials go in "private" fields, and be additionally cautious if you're choosing to make an API call from the client.
- 3.When activating your app's Data or Workflow API, be careful with how an outsider authenticates to make a call, and for the Data API, make sure Privacy Rules are set up!
- 4.Certain aspects of how the app is built are visible to technically savvy users, including: which apps exist in an app, what data types and fields exist in an app, any static content on a page even if it's in a hidden element, all option sets (including their options and attributes) in an app, etc.
In case you'd like extra help with security best practices, there are third-party tools in the Bubble ecosystem that can assess an app for any known security weaknesses, e.g. nocode:nohack.