🎉 Introducing the most advanced security platform for Bubble for free (Bubble App Audit)

Oddly enough, so far I’m not seeing any activity show up from non-logged in users / anon - and the second I log in or switch browsers to one that is logged in, the latter traffic does populate, so I know it’s working right otherwise.

I assume this is you so not-logged-in does work - I wonder if it’s a limitation for how Bubble tracks IP addresses (since my devices and browsers are on the same network):

image373×571 28 KB

Nah, it’s a plugin bug, I’ll have a fix deployed in 10 minutes

lol

everyone has its own interpretation of gdpr I guess. you may want to read again the definition of personal information and whether gdpr applies specifically to cookies or any tech that can make you identify a person…

any user accessing a bubble app gets a user id from the first request, even if not logged in

Well it’s a good job it’s for them to decide and not me

Thank you for this. Helped a lot with a few little issues

it is for you to decide as well since your company stores the data
I suppose many people would be happy with you explaining how to selfhost umami. then it would be their call only.

I’m happy you are pushing bubble (and bubblers) to get better, but this take was an instant lol for me

Sure, fair enough haha - that’s why I try my best to avoid making hard claims about things I’m not qualified to talk about!

Our analytics backend is Umami, hosted on our own server in Germany. Here’s what they say:

Developed with a strong emphasis on user privacy, Umami is designed to be GDPR compliant by default, ensuring that marketers can gather the necessary data to optimize their websites and campaigns without the need for intrusive tracking or cookie consent banners.

By default, Umami anonymizes all visitor data, stripping away any personally identifiable information (PII). No personal data is ever collected or processed, making Umami fully compliant with GDPR and other privacy regulations like the California Consumer Privacy Act (CCPA).

Another advantage of Umami is its cookie-free tracking approach. Unlike many other analytics platforms, including Google Analytics, Umami does not rely on cookies to track visitor behavior which eliminates the need for cookie consent banners. Marketers know that these banners can be annoying, negatively impact user experience, and would prefer not to have them if at all possible.

So, there you go. Any additional data (like user emails) you choose to track you’d want consent for, but you’d be fine as is with the default analytics.

it could be another 1$ service after the audit: learn how to self host your own analytics.

fun fact, before gdpr in some eu jurisdictions self hosting your own analytics required more bureaucratic burden than google analytics with anonymized data XD

yes, but…

last time I read the documents on the law it was clear that physical location of the server matters less than country of incorporation of the company owning the servers, cookies are just one way data is stored but the law is tech agnostic, sometimes an ip address can be considered personal information (so what about a user unique identifier)

I am not a layer by the way…

I’ve deployed an info text on the ‘connect analytics’ popup (shown when users copy their website ID) that the plugin returns the Bubble user ID automatically so they may need user consent for that! That should ensure they have the info they need to decide for themselves what stuff they need in place. Thank you for the nudge!

Great help for us! Waiting for the WU per user.

Did you use bubble database here as well? Or any external database used for NQU Secure?

No, except analytics

Merry Christmas

is this about a browser extension or bubble editor update?

maybe 2026

so long security then

NQU Secure is a terrible name and will change at some point as whatever it is that I’m creating is going to be way more than just security.

And, ‘whatever it is I’m building’ is just a loose translation for ‘everything I wish Bubble would do for me already’.

Edit:

For people only interested in the security side, these are what are the highest priorities for me at the moment, though I’m always open to hearing suggestions:

• Check privacy rule configuration logic
• Check for private file/picture uploaders and public files
• Check for client side variables in workflows (in comb. with extension to flag these visually in the editor)

what I mean is that bubble editor is a privileged environment. third parties must not have access to it. that’s why plugin previews are crippled into sandboxed iframes. that’s why plugin field descriptions can’t have rich text anymore (after I reported it could bypass the sandboxed iframe and inject code).
your effort to push for security is good, but third parties browser extensions for the editor bypass any security you put in place and add the risk to expose any secret key in the editor.
I know you can say that we can read and audit extension code but most people will not do it and it is very easy that the extension auto updates or loads latest external library from a cdn without pinning the version (like what happened with the lottie plugin).
as a bubble ambassador it’s probably better you bring your editor improvement proposal to the team since they can easily listen to you than endorse an unsafe practice.
your next post aboit securitt should be “why browser extensions might be your app biggest vulnerability”. there is another one as well but it will annoy too many bubblers and, as everything, has been already discussed in the forum.

of course this is my opinion and anybody is entitled to have a different one