Flusk plan features
Bubble includes a variety of security checks designed to help keep your app secure. The specific security features available to you depend on your current subscription plan.
This article outlines which security features are included in each plan. For a more in-depth explanation of each feature, refer to the detailed descriptions provided at the bottom of the article (or follow the links in the tables below).
Basic security checks
Flusk provides foundational security checks to safeguard your apps from common vulnerabilities. These checks, called “issues” in your dashboard, help identify essential risks and ensure a secure starting point. While the Starter plan includes only these basic checks, all other plans offer both basic and advanced security features for comprehensive protection.
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
✅
Advanced security checks
Advanced security checks are designed to detect more complex vulnerabilities and potential threats to your app’s infrastructure. While Flusk can detect these issues regardless of your plan, detailed information is limited unless your plan includes advanced checks.
❌
✅
✅
✅
❌
✅
✅
✅
❌
✅
✅
✅
❌
✅
✅
✅
❌
✅
✅
✅
❌
✅
✅
✅
❌
✅
✅
✅
❌
✅
✅
✅
❌
✅
✅
✅
❌
✅
✅
✅
❌
✅
✅
✅
❌
✅
✅
✅
❌
✅
✅
✅
Glossary
Missing privacy rules
This check identifies cases where your app’s database privacy rules aren’t defined. Privacy rules control who can view, search, or modify specific data in your database. When privacy rules are missing, it increases the risk of exposing sensitive user information to unauthorized access, which could lead to data misuse.
Sensitive data exposed in workflows
Detects workflows that expose sensitive data (e.g., user IDs, emails, or financial information) in ways that unauthorized users could intercept or access. You can customize which fields data types are sensitive, or override any defaults.
Editor data visibility risk
Flags settings that allow sensitive data to be visible to app editors, risking accidental leaks or misuse during app development.
Weak password policies
Ensures that end-user password requirements are robust enough to prevent brute-force attacks or unauthorized access.
Unprotected test environments
Identifies test versions of the app that are accessible without proper authentication, exposing sensitive or unfinished features to the public.
Default username/password risk
Detects default admin credentials for your development version (e.g., “username”/“password”) that are easy to guess and compromise.
Publicly accessible sensitive fields
Flags database fields marked as public that contain sensitive data, making them accessible to unauthorized users.
Secure page protection
Detects pages lacking end-user server-side redirects, allowing unauthorized users to navigate to secure areas of the app. This includes verifying both frontend permissions and server-side redirects.
Database exposure risks
Identifies unsecured database queries or structures that could expose data to unauthorized users.
Compromised API tokens
Detects exposed or improperly secured API tokens, which could allow unauthorized access to external services.
Unauthorized collaborator access
Flags improperly managed Bubble app collaborator roles that grant unwarranted permissions, risking accidental or malicious changes.
Improperly secured map API keys
Identifies unsecured API keys for Google Maps or similar services, which could lead to unauthorized usage or billing.
Exposed sensitive API parameters
Detects API calls that include sensitive data in plain text or unsecured formats.
Sensitive data in API URLs
Flags URLs that include sensitive information (e.g., usernames or session tokens) which could be logged or intercepted.
Unprotected backend workflows
Identifies backend workflows that lack authentication, making them vulnerable to unauthorized triggers.
Temporary password exploits
Flags workflows that use temporary passwords without proper expiration or security measures.
Insecure API documentation (Swagger)
Detects exposed Swagger documentation that reveals sensitive API endpoints and operations.
Publicly accessible file uploaders
Flags file upload fields that allow anyone to upload files without restrictions, risking malicious file injections.
Publicly acessible picture uploaders
Identifies picture uploaders that allow unrestricted uploads, which could result in misuse or security breaches.
Unrestricted iFrame embedding
Detects iFrames that allow embedding from unauthorized domains, risking phishing or content hijacking.
Last updated