Bubble Docs
  • Introduction
  • New? Start Here
  • What is Bubble?
  • The Glossary
  • User manual
    • Getting started
      • What is Bubble?
      • Building your first app
        • Planning features
        • Database structure
        • Design and UX
        • eCommerce and payments
          • Shopping cart
          • Checkout page
          • One-time payments
          • Subscriptions
          • Marketplace
      • Creating and managing apps
      • The Bubble editor
        • Tabs and sections
          • Design tab
            • The element tree
            • The property editor
          • Workflow tab
          • Data tab
          • Styles tab
          • Plugins tab
          • Settings tab
            • Application settings
              • Custom headers/body
              • Visual settings
              • Social media sharing
              • Translating your app
              • Email settings
              • Collaboration
            • Custom domain and DNS
          • Logs tab
        • Tools
          • Key features
          • The search tool
          • The Issue Checker
          • The element tree
          • The element property editor
          • The debugger
          • Notes
        • Previewing your app
      • Transitioning to Bubble from...
        • JavaScript
        • HTML and CSS
        • SQL
    • Design
      • Elements
        • The element hierarchy
          • The element tree
        • The page
        • Containers
          • Groups
          • Repeating groups
          • Table elements
          • Popups
          • Floating groups
          • Group focus
        • Visual elements
        • Input forms
          • Text and numbers
          • Dates and time
          • File uploads
          • Selection controls
        • Reusable Elements
      • Styling
        • Color variables
        • Font variables
        • Styles
        • Custom Fonts
      • Responsive design
        • Building responsive pages
        • Legacy articles
          • The Basics (Legacy)
          • Building Responsive Pages (Legacy)
          • Migrating Legacy Pages
          • Tips When Designing (Legacy)
      • Templates
      • The Component Library
      • Importing from Figma
    • Data
      • The database
        • Data types and fields
        • Creating, saving and deleting data
        • Finding data
        • Displaying data
        • Protecting data with privacy rules
        • The database editor
        • Export/import data
          • Exporting data
          • Importing data (CSV)
        • Working with location data
        • Using Algolia
        • Database structure by app type
          • Marketplace Apps
          • Directory & Listings Apps
          • Social Network Apps
          • SaaS Apps
          • Project Management Apps
          • CRM Apps
          • Professional Services Apps
          • On-demand Apps
          • Documentation/ CMS Apps
          • Applicant Tracking System (ATS) Apps
          • Portfolio Apps
          • Gallery Apps
          • Online Store / Ecommerce Apps
          • Blog Apps
          • Messaging App
          • Dashboards
          • Building Block Apps
          • Bubble as a backend
      • Files
      • Images
      • Static data
        • App texts (translations)
        • Option sets
      • Temporary data
        • Custom states
        • URL parameters
      • User accounts
        • Authentication plugins
          • Facebook plugin
          • Fitbit plugin
          • Google plugin
          • Instagram plugin
          • LinkedIn plugin
          • Pinterest plugin
          • Slack plugin
          • Wistia plugin
          • YouTube plugin
        • Cookies set by Bubble
      • Time, dates and time zones
    • Logic
      • The frontend and backend
      • Workflows
        • Events
          • Frontend events
            • Recurring workflows
            • Custom events
          • Backend events
            • Database trigger events
        • Actions
        • API Workflows
      • Dynamic expressions
      • Conditions
      • Navigation
        • Single-page applications (SPA)
        • Multi-page applications
        • Page slugs
    • Workload
      • Understanding workload
        • Activity types
        • The workload calculation
        • Client-side and server-side processing
      • Tracking workload
        • Measuring
          • Using App Metrics
        • Monitoring
          • Workload notifications
          • Infinite recursion protection
      • Optimizing workload
        • Optimization framework
        • Optimization checklist
          • Page load
          • Searches
          • Workflows and actions
          • Backend workflows
        • Agency showcases
          • Minimum Studio
          • Neam
          • Support Dept
    • Security
      • Bubble's security features
      • Planning app security
      • Client-side and server-side
      • Bubble account security
      • App security
      • Page security
      • Database security
      • API security
        • API Connector security
        • Data API security
        • Workflow API security
      • Flusk
        • Overview
        • Flusk plan features
        • Getting started with Flusk
        • Flusk security tools
          • The Issues Explorer
          • Issue details
          • Tools and settings
            • Pages rating
            • Database rating
        • Flusk FAQ
      • Cookies
      • Security checklist
    • Publishing your app
      • Web app
      • Native mobile app
        • Global native mobile settings
        • iOS App Store
        • Google Play Store
        • Publishing FAQ
    • AI
      • Generate apps with AI
        • About AI app generation
      • AI page designer
      • Connect to AI agents
    • Maintenance
      • Collaborators
      • Version control
        • Best practices: Version control
        • Transitioning from the legacy version control
        • Terminology: Version control
        • Version Control (legacy)
      • Commenting
      • Database maintenance
        • Copying the database
        • Restoring database backups
        • Bulk operations
          • Bulk operation methods compared
        • Wiping change history
      • Performance
        • Hard limits
        • Capacity Usage (legacy)
        • Notes on queries
      • SEO
        • Introduction to SEO
        • SEO: App
        • SEO: Page
      • Testing and debugging
        • Introduction to testing and debugging
        • The debugger
        • The server logs
        • Supported browsers
      • API workflow scheduler
    • Integrations
      • API
        • Introduction to APIs
          • What is a RESTful API?
        • The Bubble API
          • Bubble API terminology
          • Authentication
            • How to authenticate
            • No authentication
            • As a User
            • As an admin
          • The Data API
            • Data API Privacy Rules
            • Data API endpoints
            • Data API requests
          • The Workflow API
            • Workflow API privacy rules
            • Workflow API endpoints
            • API workflows
              • Creating API workflows
              • Scheduling API workflows
              • Recursive API workflows
              • API Workflow Scheduler
              • Case: Stripe notifications
        • The API Connector
          • Authentication
          • API Connector security
          • API guides
            • OpenAI
              • Authentication
              • Calls
                • ChatGPT
                  • Chat
            • Google Translate
              • How to setup Google API keys
          • Streaming API
        • API security
        • Plugins that connect to APIs
        • API Glossary
      • Plugins
        • What Plugins Can Do
        • Installing and using Plugins
        • Authentication plugins
        • Special Plugins
      • SQL Database Connector
      • Bubble App Connector
      • WorkOS
        • WorkOS SSO
        • WorkOS API
    • Infrastructure
      • Sub-apps
      • Bubble release tiers
      • Hosting and scaling
        • How Bubble hosting works
        • Scaling with Bubble
        • CDN (Cloudflare)
        • Bubble app names
        • Domain and DNS
      • Compliance
        • GDPR
        • SOC 2 Type II
        • HIPAA
        • Other frameworks and standards
    • Bubble for Enterprise
      • Hosting and infrastructure
        • Dedicated instance
          • The Dedicated editor experience
          • Technical specs
          • Main cluster dependencies
          • Customizable options
          • Migration process
            • Pre-migration
            • During migration
            • Post-migration
      • Security and compliance
        • Single sign-on (SSO)
        • GDPR
        • SOC 2 Type II
        • HIPAA
        • Other frameworks
        • Bubble's security features
      • Admin and collaboration
      • Priority support
      • Billing and Payment Guideline for Dedicated Instances
  • Core Reference
    • Using the core reference
    • Bubble's Interface
      • Design tab
      • Design tab (Legacy)
      • Workflow tab
      • Data tab
      • Styles tab
      • Styles tab (Legacy)
      • Plugins tab
      • Settings tab
      • Logs tab
      • Template tab
      • Toolbar
      • Top and context menu options
      • Deployment and version control
        • Deployment & Version Control Dropdown (legacy)
      • Notes
    • Elements
      • General properties
      • General properties (Legacy)
      • Styling properties
      • Styling Properties (Legacy)
      • Responsive Properties
      • Responsive Properties (Legacy)
      • Conditional formatting
      • States
      • Page Element
        • Page Element (Legacy)
      • Visual Elements
      • Containers
      • Container Layout Types
      • Containers (Legacy)
      • Input Forms
      • Reusable Elements
      • Element Templates (legacy)
    • Workflows
    • Events
      • General events
      • Element events
      • Custom events
      • Recurring event
      • Database trigger event
    • Actions
      • Account
      • Navigation
      • Data (things)
      • Email
      • Element
      • Custom
    • Data
      • Data Sources
      • Operators and comparisons
      • Search
      • Privacy
    • Styles
    • API
      • The Bubble API
        • The Data API
          • Authentication
          • Data API endpoints
          • Data API requests
        • The Workflow API
      • The API Connector
        • Authentication
        • Adding calls
    • Bubble-made Plugins
      • AddtoAny Share Buttons
      • Airtable
      • API Connector
      • Blockspring
      • Box
      • Braintree
      • Bubble App Connector
      • Chart.js
      • Circle Music Player
      • Draggable Elements
      • Dropzone
      • Facebook
      • Fitbit
      • Full Calendar
      • Google
      • Google Analytics
      • Google Optimize
      • Google Places
      • Ionic Elements
      • iTunes
      • Slidebar Menu
      • LinkedIn
      • Localize Translation
      • Mixpanel
      • Mouse & Keyboard Interactions
      • Multiselect Dropdown
      • Progress Bar
      • Rich Text Editor
      • Rich Text Editor (Legacy)
      • Screenshotlayer
      • SelectPDF
      • Slack
      • Segment
      • Slick Slideshow
      • SQL Database Connector
      • Star Rating
      • Stripe
      • Tinder-like Element
      • Twitter
      • YouTube
      • Zapier
    • Application Settings
      • App plan
      • General
      • Domain / email
      • Languages
      • SEO / metatags
      • API
      • Collaboration
      • Sub-apps
      • Versions
  • Account & Marketplace
    • Account and billing
      • Pricing and plans
        • Plans and billing
        • Billing cycle
        • FAQ: Pricing and Workload
      • Account Management
      • Building Apps for Others
      • Selling on the Marketplace
      • Plans & Billing (legacy)
    • Official Bubble Certification
      • Hiring certified developers
    • Building Plugins
      • The Plugin Editor
      • General Settings
      • Updating to Plugin API v4
      • Adding API Connections
      • Building Elements
      • Building Actions
      • Loading Data
      • Publishing and versioning
      • Github Integration
    • Building Templates
    • Application and data ownership
    • Marketplace policies
    • Bug reports
  • Vulnerability Disclosure Policy
  • Beta features
    • About the Beta features section
    • Native mobile apps 🔒
      • Introduction
        • What is a native mobile app?
        • Native mobile vs. web development
        • Differences in native and web elements
        • Native mobile app terminology
      • Building
        • Views and navigation
        • Native mobile actions
        • Components and gestures
        • Device resources
          • Location services
          • Camera/photo library
      • Previewing
      • Publishing
Powered by GitBook
On this page
  • Introduction to security
  • Our shared security responsibility
  • What security means
  • Continue reading

Was this helpful?

  1. User manual

Security

Last updated 5 months ago

Was this helpful?

Introduction to security

In this section, we'll dive into the topic of ensuring your app's safety and protecting your users' data. When it comes to security, Bubble's primary goal is to provide a solid foundation that follows industry best practices. Bubble as a platform doesn't reinvent the wheel; instead, we rely on proven methodologies to deliver tools that let you set up applications with security that's comparable to the world's major software providers.

As we discuss Bubble's security measures, it's important to remember that our platform's flexibility can be a double-edged sword. Bubble empowers you with the tools and options to create versatile applications; however, this also means that you bear the responsibility of using these tools correctly to guarantee a secure environment.

Your app's security is ultimately in your hands, and it's crucial to understand and implement best practices while building your app to protect your users and their data.

Throughout this chapter, we'll explore the various aspects of Bubble's security and provide insights into how you can make the most of our platform's features to create a safe and secure application.

Our shared security responsibility

Bubble operates within a "Platform-as-a-Service" (PaaS) architecture, where we serve as a facilitator for developing, deploying, and hosting web applications. We maintain a close collaboration with Amazon Web Services (AWS).

This structure means that there is a shared security responsibility between Bubble, AWS, and you as a user of the Bubble platform.

  • Bubble commits to providing and maintaining the tools that our users need to keep their data and processes safe. This includes Bubble account security, data encryption at rest and in transit, user authentication, rigorous application-level safeguards, consistent service uptime, pen testing, logging, backups, and DDoS protection. Bubble is compliant with the SOC 2 Type II standard for security, and we have implemented measures designed to meet the standards of applicable data privacy laws, including the General Data Protection Regulation in the EU and the UK.

  • Amazon AWS oversees aspects such as the physical infrastructure, hardware, network, and the integrity of the server environment.

  • Bubble users are responsible for understanding and following our and , maintaining secure account access, supplying precise and up-to-date information to Bubble, understanding and using Bubble’s settings and tools correctly, and reporting security issues to Bubble in a timely manner.

What security means

When discussing app security, it's common to focus on malicious intent, such as hacking. However, when planning your security measures, it's essential to recognize that hackers represent just one aspect of potential security risks. There are several other equally important factors to consider:

Database leaks

Database leaks in this context means inadvertently leaking data to users who shouldn't have access to it. This is handled by setting proper on all private data types.

Revealing data in the app code

Although Bubble is a no-code platform, the final app consists of HTML, CSS, JSON and Javascript that Bubble generates for you. Since these files are downloaded to the user's device, a tech-savvy user can look at them. If you have inadvertently placed sensitive data such as API keys in certain parts of your app, the user may be able to extract them.

Unauthorized account access

Another potential vulnerability includes users gaining access to other users’ accounts. When planning your app to avoid this issue, you should make sure you have a secure sign-up and login process. You can also consider enforcing a password policy and two-factor authentication.

Improper app security settings

Bubble offers multiple settings on an app level, such as encrypting data in by use of , protecting your with a username and password and controlling the access level of .

We strongly recommend reviewing these settings thoroughly.

API calls

Continue reading

Overview of Bubble's security features

This section gives an overview of the different security features that Bubble offers, along with links to learn more about each one.

Planning app security

This section looks at the importance of planning and what that means for privacy and security. We look at both how to think about your app's policy as a whole and what that means in terms of planning your database structure, user roles and pages.

Client-side and server-side

Bubble apps work as a result of ongoing communication between the user's device and Bubble's server. Understanding the difference between the two is an important part of your app's security.

Bubble account security

Unauthorized access to your Bubble account is one of the biggest security breaches you can encounter, as it gives full access to both the app and data of all apps linked to your account. Consequently, Bubble offers powerful tools to secure it.

App security

This section covers the general security settings in your app.

Page security

This section covers the security on each of your pages and how to think about the data that is sent from the server to your user's device.

Securing the database with Privacy Rules

Privacy Rules govern on the server which users have access to what data. Privacy Rules are needed to keep the data in your database safe and avoid accidental leaks.

API security

Bubble offers a lot of flexibility to connect your app to other apps and systems through API calls. This section covers how to ensure both incoming and outbound connections are kept secure.

Bubble cookies

Bubble users cookies for authentication purposes and enable key functionality of the Bubble platform.

We have a closer look at this potential vulnerability in our article on .

We explore this subject in more detail in our articles on and .

API calls can also open up for potential vulnerabilities if set up incorrectly. We go over this in detail in our article on .

Article:

Article:

Article:

Article:

Article:

Article:

Article: (links to the section)

Article:

Article: (links to the section)

terms
acceptable use policy
Page security
App security
Securing your Bubble account
API security
Bubble's security features
Planning app security
Client-side and server-side
Bubble account security
App security
Page security
Privacy Rules
Data
API security
Bubble cookies
Data