Security

Introduction to security

In this section, we'll dive into the topic of ensuring your app's safety and protecting your users' data. When it comes to security, Bubble's primary goal is to provide a solid foundation that follows industry best practices. Bubble as a platform doesn't reinvent the wheel; instead, we rely on proven methodologies to deliver tools that let you set up applications with security that's comparable to the world's major software providers.

As we discuss Bubble's security measures, it's important to remember that our platform's flexibility can be a double-edged sword. Bubble empowers you with the tools and options to create versatile applications; however, this also means that you bear the responsibility of using these tools correctly to guarantee a secure environment.

Your app's security is ultimately in your hands, and it's crucial to understand and implement best practices while building your app to protect your users and their data.

Throughout this chapter, we'll explore the various aspects of Bubble's security and provide insights into how you can make the most of our platform's features to create a safe and secure application.

Our shared security responsibility

Bubble operates within a "Platform-as-a-Service" (PaaS) architecture, where we serve as a facilitator for developing, deploying, and hosting web applications. We maintain a close collaboration with Amazon Web Services (AWS).

This structure means that there is a shared security responsibility between Bubble, AWS, and you as a user of the Bubble platform.

  • Bubble commits to providing and maintaining the tools that our users need to keep their data and processes safe. This includes Bubble account security, data encryption at rest and in transit, user authentication, rigorous application-level safeguards, consistent service uptime, pen testing, logging, backups, and DDoS protection. Bubble is compliant with the SOC 2 Type II standard for security, and we have implemented measures designed to meet the standards of applicable data privacy laws, including the General Data Protection Regulation in the EU and the UK.

  • Amazon AWS oversees aspects such as the physical infrastructure, hardware, network, and the integrity of the server environment.

  • Bubble users are responsible for understanding and following our terms and acceptable use policy, maintaining secure account access, supplying precise and up-to-date information to Bubble, understanding and using Bubble’s settings and tools correctly, and reporting security issues to Bubble in a timely manner.

What security means

When discussing app security, it's common to focus on malicious intent, such as hacking. However, when planning your security measures, it's essential to recognize that hackers represent just one aspect of potential security risks. There are several other equally important factors to consider:

Database leaks

Database leaks in this context means inadvertently leaking data to users who shouldn't have access to it. This is handled by setting proper on all private data types.

Revealing data in the app code

Although Bubble is a no-code platform, the final app consists of HTML, CSS, JSON and Javascript that Bubble generates for you. Since these files are downloaded to the user's device, a tech-savvy user can look at them. If you have inadvertently placed sensitive data such as API keys in certain parts of your app, the user may be able to extract them.

We have a closer look at this potential vulnerability in our article on Page security.

Unauthorized account access

Another potential vulnerability includes users gaining access to other users’ accounts. When planning your app to avoid this issue, you should make sure you have a secure sign-up and login process. You can also consider enforcing a password policy and two-factor authentication.

Improper app security settings

Bubble offers multiple settings on an app level, such as encrypting data in by use of , protecting your with a username and password and controlling the access level of .

We strongly recommend reviewing these settings thoroughly.

We explore this subject in more detail in our articles on App security and Securing your Bubble account.

API calls

API calls can also open up for potential vulnerabilities if set up incorrectly. We go over this in detail in our article on API security.

Continue reading

Overview of Bubble's security features

This section gives an overview of the different security features that Bubble offers, along with links to learn more about each one.

Article: Bubble's security features

Planning app security

This section looks at the importance of planning and what that means for privacy and security. We look at both how to think about your app's policy as a whole and what that means in terms of planning your database structure, user roles and pages.

Article: Planning app security

Client-side and server-side

Bubble apps work as a result of ongoing communication between the user's device and Bubble's server. Understanding the difference between the two is an important part of your app's security.

Article: Client-side and server-side

Bubble account security

Unauthorized access to your Bubble account is one of the biggest security breaches you can encounter, as it gives full access to both the app and data of all apps linked to your account. Consequently, Bubble offers powerful tools to secure it.

Article: Bubble account security

App security

This section covers the general security settings in your app.

Article: App security

Page security

This section covers the security on each of your pages and how to think about the data that is sent from the server to your user's device.

Article: Page security

Securing the database with Privacy Rules

Privacy Rules govern on the server which users have access to what data. Privacy Rules are needed to keep the data in your database safe and avoid accidental leaks.

Article: Privacy Rules (links to the Data section)

API security

Bubble offers a lot of flexibility to connect your app to other apps and systems through API calls. This section covers how to ensure both incoming and outbound connections are kept secure.

Article: API security

Bubble cookies

Bubble users cookies for authentication purposes and enable key functionality of the Bubble platform.

Article: Bubble cookies (links to the Data section)

Last updated

#829: Flusk: more detailed Issue Descriptions

Change request updated