Hi everyone,
I’m Lindsay, a product manager at Bubble. I’m excited to share that we recently added a new security check called the secrets scanner to the security dashboard (formerly Flusk).
What the secrets scanner does
This check scans your entire app for leaked API keys. When API keys are misconfigured and exposed within the page code, bad actors can access user data and trigger unexpected charges. The secrets scanner identifies any exposed keys and shows you exactly where to find and fix them.
How to access it
Head to scan.bubble.io and run a security scan on your app. If the scan finds exposed keys, you’ll see Secret key exposure listed under type.
Click on the issue to open a sidebar, which will list the issue description, the location of the exposed key, and part of the key itself so you can identify it in your editor. From there, click Fix in the editor to jump directly to the location where you can remove or hide the key.
Since this feature went live a little over a week ago, we’ve already helped hundreds of apps become more secure by identifying and helping fix exposed API keys. If you haven’t run a scan recently, now’s a great time to see if your app has any exposed keys or other vulnerabilities.
If you have questions or feedback about the secrets scanner or the security dashboard, let us know below. And if you’re interested in helping us test and shape security features, you can sign up here — we’d love your input!
Happy building!
— Lindsay
