Bubble Docs
  • Introduction
  • New? Start Here
  • What is Bubble?
  • The Glossary
  • User manual
    • Getting started
      • What is Bubble?
      • Building your first app
        • Planning features
        • Database structure
        • Design and UX
        • eCommerce and payments
          • Shopping cart
          • Checkout page
          • One-time payments
          • Subscriptions
          • Marketplace
      • Creating and managing apps
      • The Bubble editor
        • Tabs and sections
          • Design tab
            • The element tree
            • The property editor
          • Workflow tab
          • Data tab
          • Styles tab
          • Plugins tab
          • Settings tab
            • Application settings
              • Custom headers/body
              • Visual settings
              • Social media sharing
              • Translating your app
              • Email settings
              • Collaboration
            • Custom domain and DNS
          • Logs tab
        • Tools
          • Key features
          • The search tool
          • The Issue Checker
          • The element tree
          • The element property editor
          • The debugger
          • Notes
        • Previewing your app
      • Transitioning to Bubble from...
        • JavaScript
        • HTML and CSS
        • SQL
    • Design
      • Elements
        • The element hierarchy
          • The element tree
        • The page
        • Containers
          • Groups
          • Repeating groups
          • Table elements
          • Popups
          • Floating groups
          • Group focus
        • Visual elements
        • Input forms
          • Text and numbers
          • Dates and time
          • File uploads
          • Selection controls
        • Reusable Elements
      • Styling
        • Color variables
        • Font variables
        • Styles
        • Custom Fonts
      • Responsive design
        • Building responsive pages
        • Legacy articles
          • The Basics (Legacy)
          • Building Responsive Pages (Legacy)
          • Migrating Legacy Pages
          • Tips When Designing (Legacy)
      • Templates
      • The Component Library
      • Importing from Figma
    • Data
      • The database
        • Data types and fields
        • Creating, saving and deleting data
        • Finding data
        • Displaying data
        • Protecting data with privacy rules
        • The database editor
        • Export/import data
          • Exporting data
          • Importing data (CSV)
        • Working with location data
        • Using Algolia
        • Database structure by app type
          • Marketplace Apps
          • Directory & Listings Apps
          • Social Network Apps
          • SaaS Apps
          • Project Management Apps
          • CRM Apps
          • Professional Services Apps
          • On-demand Apps
          • Documentation/ CMS Apps
          • Applicant Tracking System (ATS) Apps
          • Portfolio Apps
          • Gallery Apps
          • Online Store / Ecommerce Apps
          • Blog Apps
          • Messaging App
          • Dashboards
          • Building Block Apps
          • Bubble as a backend
      • Files
      • Images
      • Static data
        • App texts (translations)
        • Option sets
      • Temporary data
        • Custom states
        • URL parameters
      • User accounts
        • Authentication plugins
          • Facebook plugin
          • Fitbit plugin
          • Google plugin
          • Instagram plugin
          • LinkedIn plugin
          • Pinterest plugin
          • Slack plugin
          • Wistia plugin
          • YouTube plugin
        • Cookies set by Bubble
      • Time, dates and time zones
    • Logic
      • The frontend and backend
      • Workflows
        • Events
          • Frontend events
            • Recurring workflows
            • Custom events
          • Backend events
            • Database trigger events
        • Actions
        • API Workflows
      • Dynamic expressions
      • Conditions
      • Navigation
        • Single-page applications (SPA)
        • Multi-page applications
        • Page slugs
    • Workload
      • Understanding workload
        • Activity types
        • The workload calculation
        • Client-side and server-side processing
      • Tracking workload
        • Measuring
          • Using App Metrics
        • Monitoring
          • Workload notifications
          • Infinite recursion protection
      • Optimizing workload
        • Optimization framework
        • Optimization checklist
          • Page load
          • Searches
          • Workflows and actions
          • Backend workflows
        • Agency showcases
          • Minimum Studio
          • Neam
          • Support Dept
    • Security
      • Bubble's security features
      • Planning app security
      • Client-side and server-side
      • Bubble account security
      • App security
      • Page security
      • Database security
      • API security
        • API Connector security
        • Data API security
        • Workflow API security
      • Flusk
        • Overview
        • Flusk plan features
        • Getting started with Flusk
        • Flusk security tools
          • The Issues Explorer
          • Issue details
          • Tools and settings
            • Pages rating
            • Database rating
        • Flusk FAQ
      • Cookies
      • Security checklist
    • Publishing your app
      • Web app
      • Native mobile app
        • Global native mobile settings
        • iOS App Store
        • Google Play Store
        • Publishing FAQ
    • AI
      • Generate apps with AI
        • About AI app generation
      • AI page designer
      • Connect to AI agents
    • Maintenance
      • Collaborators
      • Version control
        • Best practices: Version control
        • Transitioning from the legacy version control
        • Terminology: Version control
        • Version Control (legacy)
      • Commenting
      • Database maintenance
        • Copying the database
        • Restoring database backups
        • Bulk operations
          • Bulk operation methods compared
        • Wiping change history
      • Performance
        • Hard limits
        • Capacity Usage (legacy)
        • Notes on queries
      • SEO
        • Introduction to SEO
        • SEO: App
        • SEO: Page
      • Testing and debugging
        • Introduction to testing and debugging
        • The debugger
        • The server logs
        • Supported browsers
      • API workflow scheduler
    • Integrations
      • API
        • Introduction to APIs
          • What is a RESTful API?
        • The Bubble API
          • Bubble API terminology
          • Authentication
            • How to authenticate
            • No authentication
            • As a User
            • As an admin
          • The Data API
            • Data API Privacy Rules
            • Data API endpoints
            • Data API requests
          • The Workflow API
            • Workflow API privacy rules
            • Workflow API endpoints
            • API workflows
              • Creating API workflows
              • Scheduling API workflows
              • Recursive API workflows
              • API Workflow Scheduler
              • Case: Stripe notifications
        • The API Connector
          • Authentication
          • API Connector security
          • API guides
            • OpenAI
              • Authentication
              • Calls
                • ChatGPT
                  • Chat
            • Google Translate
              • How to setup Google API keys
          • Streaming API
        • API security
        • Plugins that connect to APIs
        • API Glossary
      • Plugins
        • What Plugins Can Do
        • Installing and using Plugins
        • Authentication plugins
        • Special Plugins
      • SQL Database Connector
      • Bubble App Connector
      • WorkOS
        • WorkOS SSO
        • WorkOS API
    • Infrastructure
      • Sub-apps
      • Bubble release tiers
      • Hosting and scaling
        • How Bubble hosting works
        • Scaling with Bubble
        • CDN (Cloudflare)
        • Bubble app names
        • Domain and DNS
      • Compliance
        • GDPR
        • SOC 2 Type II
        • HIPAA
        • Other frameworks and standards
    • Bubble for Enterprise
      • Hosting and infrastructure
        • Dedicated instance
          • The Dedicated editor experience
          • Technical specs
          • Main cluster dependencies
          • Customizable options
          • Migration process
            • Pre-migration
            • During migration
            • Post-migration
      • Security and compliance
        • Single sign-on (SSO)
        • GDPR
        • SOC 2 Type II
        • HIPAA
        • Other frameworks
        • Bubble's security features
      • Admin and collaboration
      • Priority support
      • Billing and Payment Guideline for Dedicated Instances
  • Core Reference
    • Using the core reference
    • Bubble's Interface
      • Design tab
      • Design tab (Legacy)
      • Workflow tab
      • Data tab
      • Styles tab
      • Styles tab (Legacy)
      • Plugins tab
      • Settings tab
      • Logs tab
      • Template tab
      • Toolbar
      • Top and context menu options
      • Deployment and version control
        • Deployment & Version Control Dropdown (legacy)
      • Notes
    • Elements
      • General properties
      • General properties (Legacy)
      • Styling properties
      • Styling Properties (Legacy)
      • Responsive Properties
      • Responsive Properties (Legacy)
      • Conditional formatting
      • States
      • Page Element
        • Page Element (Legacy)
      • Visual Elements
      • Containers
      • Container Layout Types
      • Containers (Legacy)
      • Input Forms
      • Reusable Elements
      • Element Templates (legacy)
    • Workflows
    • Events
      • General events
      • Element events
      • Custom events
      • Recurring event
      • Database trigger event
    • Actions
      • Account
      • Navigation
      • Data (things)
      • Email
      • Element
      • Custom
    • Data
      • Data Sources
      • Operators and comparisons
      • Search
      • Privacy
    • Styles
    • API
      • The Bubble API
        • The Data API
          • Authentication
          • Data API endpoints
          • Data API requests
        • The Workflow API
      • The API Connector
        • Authentication
        • Adding calls
    • Bubble-made Plugins
      • AddtoAny Share Buttons
      • Airtable
      • API Connector
      • Blockspring
      • Box
      • Braintree
      • Bubble App Connector
      • Chart.js
      • Circle Music Player
      • Draggable Elements
      • Dropzone
      • Facebook
      • Fitbit
      • Full Calendar
      • Google
      • Google Analytics
      • Google Optimize
      • Google Places
      • Ionic Elements
      • iTunes
      • Slidebar Menu
      • LinkedIn
      • Localize Translation
      • Mixpanel
      • Mouse & Keyboard Interactions
      • Multiselect Dropdown
      • Progress Bar
      • Rich Text Editor
      • Rich Text Editor (Legacy)
      • Screenshotlayer
      • SelectPDF
      • Slack
      • Segment
      • Slick Slideshow
      • SQL Database Connector
      • Star Rating
      • Stripe
      • Tinder-like Element
      • Twitter
      • YouTube
      • Zapier
    • Application Settings
      • App plan
      • General
      • Domain / email
      • Languages
      • SEO / metatags
      • API
      • Collaboration
      • Sub-apps
      • Versions
  • Account & Marketplace
    • Account and billing
      • Pricing and plans
        • Plans and billing
        • Billing cycle
        • FAQ: Pricing and Workload
      • Account Management
      • Building Apps for Others
      • Selling on the Marketplace
      • Plans & Billing (legacy)
    • Official Bubble Certification
      • Hiring certified developers
    • Building Plugins
      • The Plugin Editor
      • General Settings
      • Updating to Plugin API v4
      • Adding API Connections
      • Building Elements
      • Building Actions
      • Loading Data
      • Publishing and versioning
      • Github Integration
    • Building Templates
    • Application and data ownership
    • Marketplace policies
    • Bug reports
  • Beta features
    • About the Beta features section
    • Native mobile apps 🔒
      • Introduction
        • What is a native mobile app?
        • Native mobile vs. web development
        • Differences in native and web elements
        • Native mobile app terminology
      • Building
        • Views and navigation
        • Native mobile actions
        • Components and gestures
        • Device resources
          • Location services
          • Camera/photo library
      • Previewing
      • Publishing
Powered by GitBook
On this page
  • Basic security checks
  • Advanced security checks
  • Glossary
  • Missing privacy rules
  • Sensitive data exposed in workflows
  • Editor data visibility risk
  • Weak password policies
  • Unprotected test environments
  • Default username/password risk
  • Publicly accessible sensitive fields
  • Secure page protection
  • Database exposure risks
  • Compromised API tokens
  • Unauthorized collaborator access
  • Improperly secured map API keys
  • Exposed sensitive API parameters
  • Sensitive data in API URLs
  • Unprotected backend workflows
  • Temporary password exploits
  • Insecure API documentation (Swagger)
  • Publicly accessible file uploaders
  • Publicly acessible picture uploaders
  • Unrestricted iFrame embedding

Was this helpful?

  1. User manual
  2. Security
  3. Flusk

Flusk plan features

Bubble includes a variety of security checks designed to help keep your app secure. The specific security features available to you depend on your current subscription plan.

This article outlines which security features are included in each plan. For a more in-depth explanation of each feature, refer to the detailed descriptions provided at the bottom of the article (or follow the links in the tables below).

Basic security checks

Flusk provides foundational security checks to safeguard your apps from common vulnerabilities. These checks, called “issues” in your dashboard, help identify essential risks and ensure a secure starting point. While the Starter plan includes only these basic checks, all other plans offer both basic and advanced security features for comprehensive protection.

Feature
Starter
Growth
Team
Enterprise

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

✅

Advanced security checks

Advanced security checks are designed to detect more complex vulnerabilities and potential threats to your app’s infrastructure. While Flusk can detect these issues regardless of your plan, detailed information is limited unless your plan includes advanced checks.

Feature
Starter
Growth
Team
Enterprise

❌

✅

✅

✅

❌

✅

✅

✅

❌

✅

✅

✅

❌

✅

✅

✅

❌

✅

✅

✅

❌

✅

✅

✅

❌

✅

✅

✅

❌

✅

✅

✅

❌

✅

✅

✅

❌

✅

✅

✅

❌

✅

✅

✅

❌

✅

✅

✅

❌

✅

✅

✅

Glossary

Missing privacy rules

This check identifies cases where your app’s database privacy rules aren’t defined. Privacy rules control who can view, search, or modify specific data in your database. When privacy rules are missing, it increases the risk of exposing sensitive user information to unauthorized access, which could lead to data misuse.

If no privacy rules are set for a user data type, anyone with access to the app could retrieve personal information through a search or API call.

Sensitive data exposed in workflows

Detects workflows that expose sensitive data (e.g., user IDs, emails, or financial information) in ways that unauthorized users could intercept or access. You can customize which fields data types are sensitive, or override any defaults.

A workflow sends a user’s email address in a query string or includes it in logs visible in the browser’s developer tools,‌ exposing it to malicious actors.

Editor data visibility risk

Flags settings that allow sensitive data to be visible to app editors, risking accidental leaks or misuse during app development.

An app editor sees confidential user data like purchase histories while debugging workflows, even though it’s unrelated to their tasks

Weak password policies

Ensures that end-user password requirements are robust enough to prevent brute-force attacks or unauthorized access.

A password policy that allows simple passwords like “12345” makes it easy for attackers to guess credentials and gain access.

Unprotected test environments

Identifies test versions of the app that are accessible without proper authentication, exposing sensitive or unfinished features to the public.

The test version of your app is live and accessible via a shared link, allowing unintended users to explore unreleased functionality or data.

Default username/password risk

Detects default admin credentials for your development version (e.g., “username”/“password”) that are easy to guess and compromise.

An app’s admin panel uses default credentials, and an attacker gains access by guessing them.

Publicly accessible sensitive fields

Flags database fields marked as public that contain sensitive data, making them accessible to unauthorized users.

A field storing user payment history is marked as public, allowing anyone with access to query this data.

Secure page protection

Detects pages lacking end-user ‌server-side redirects, allowing unauthorized users to navigate to secure areas of the app. This includes verifying both frontend permissions and server-side redirects.

A user without admin privileges manually enters the admin dashboard URL and gains access because no page-level restrictions are set.

Database exposure risks

Identifies unsecured database queries or structures that could expose data to unauthorized users.

A search query in a public-facing workflow retrieves all users’ information without filtering for the current user.

Compromised API tokens

Detects exposed or improperly secured API tokens, which could allow unauthorized access to external services.

An API token for a payment service is visible in a browser’s developer tools, enabling attackers to misuse it

Unauthorized collaborator access

Flags improperly managed Bubble app collaborator roles that grant unwarranted permissions, risking accidental or malicious changes.

A former freelancer still has access to your app and can modify workflows or view sensitive data.

Improperly secured map API keys

Identifies unsecured API keys for Google Maps or similar services, which could lead to unauthorized usage or billing.

Your public-facing app exposes a Google Maps API key, allowing attackers to use it for their projects, leading to unexpected charges.

Exposed sensitive API parameters

Detects API calls that include sensitive data in plain text or unsecured formats.

A call to a payment gateway includes the third-party API key and isn’t marked as hidden.

Sensitive data in API URLs

Flags URLs that include sensitive information (e.g., usernames or session tokens) which could be logged or intercepted.

A session token appears in a URL shared with a third party, granting them unauthorized access to the user’s session.

Unprotected backend workflows

Identifies backend workflows that lack authentication, making them vulnerable to unauthorized triggers.

An attacker discovers and runs an API workflow that deletes records from your database.

Temporary password exploits

Flags workflows that use temporary passwords without proper expiration or security measures.

A user’s temporary password is generated on the client side, making it possible for an attacker to reset anyone’s password, including admins.

Insecure API documentation (Swagger)

Detects exposed Swagger documentation that reveals sensitive API endpoints and operations.

Swagger docs expose sensitive APIs, giving attackers a roadmap to exploit your app.

Publicly accessible file uploaders

Flags file upload fields that allow anyone to upload files without restrictions, risking malicious file injections.

A file uploader doesn’t link the file to a database entry, and therefore isn’t applying privacy rules.

Publicly acessible picture uploaders

Identifies picture uploaders that allow unrestricted uploads, which could result in misuse or security breaches.

An image uploader doesn’t link the file to a database entry, and therefore isn’t applying privacy rules.

Unrestricted iFrame embedding

Detects iFrames that allow embedding from unauthorized domains, risking phishing or content hijacking.

An attacker embeds your app in a malicious iFrame to harvest user inputs or mimic legitimate functionality.

Last updated 3 months ago

Was this helpful?

Missing privacy rules
Sensitive data exposed in workflows
Editor data visibility
risks
Weak password policies
Unprotected test environments
Default username/password risks
Publicly accessible sensitive fields
Secure page protection
Database exposure risks
Compromised API tokens
Unauthorized collaborator access
Improperly secured map API keys
Exposed sensitive API parameters
Sensitive data in API URLs
Unprotected backend workflows
Temporary password exploits
Insecure API documentation (Swagger)
Publicly accessible file uploaders
Publicly accessible picture uploaders
Unrestricted iFrame embedding