Bubble Stripe Plugin Security

stewart · November 12, 2023, 12:20am

My app uses the native Bubble/Stripe plugin, and also a few Stripe webhooks.

I’ve been working heavily to make my webhooks secure, as I came to realize they aren’t really secure at all to begin with.

Well after this realization, I began to wonder: “How secure are the actions in the native Bubble/Stripe plugin? Is it anything like a webhook?”

Specifically, I use some features like “Subscribe user to price” and then run a workflow after this. How secure is this? Can this be easily hacked to make Bubble think the “Subscriber user to price” went through, and then continue the workflow? Are there any security measures I need to add (like with webhooks) to make this secure?

Maybe the plugin is totally secure and nothing like a webhook, but I have to ask.

Thanks in advance!

johnny · November 13, 2023, 5:59am

I believe the recommendation is typically to only execute what is supposed to happen after a user subscribes to a plan via a Stripe webhook + backend WF

stewart · November 13, 2023, 3:10pm

That’s what I’m thinking is the safest option. Just wasn’t sure if the plugin had some sort of built-in security that would make that method redundant. Learning as I go here