Security Checklist to follow for your Bubble App

Tips
1

What Data is Publicly Visible & How to Check

How to Check
Right-click page → Inspect → Console → console.log(app)

Publicly Visible Data

  • Option Sets

  • Data Types & Fields

  • API Connector calls & non-private parameters

  • Backend Workflows

  • Google Maps API Key

  • Page Names

Privacy Rules

Things to take care of -

  1. Check for Empty Conditions that can be true if no value is present.
  2. Check/Uncheck - the values accordingly -
    a. View all fields - uncheck and then mark the values that should be visible, if
    all values are not necessary.
    b. Find in searches - if unchecked - data is not going to be found in searches,
    so check accordingly.
    c. View Attached Files - if checked attached files will be visible, so check
    Accordingly.
    d. Everyone Else - Check the fields that should be visible irrespective of all
    privacy rules..

Settings

  • TLS Encryption → check in Domain Settings.

  • Editor Access → mark private.

  • Add username/password for test/live if needed.

  • Block I-frames.

  • Hide Swagger → disable
    Link - https://[appName].bubbleapps.io/version-test/api/1.1/meta/swagger.json

  • Data API → uncheck unless required. https://[appName].bubbleapps.io/version-test/api/1.1/obj/[dataType]

Frontend Workflows

  • Add Logged In/Out conditions.

  • Restrict via User Roles.

  • Mark elements as unclickable in conditions.

Inputs

  • Use :trimmed to remove spaces.

  • Use Find & Replace / Regex for validation.

  • Limit character count.

Backend Workflows

  • Uncheck Public API workflow unless used.

  • Uncheck without authentication.

  • Avoid ignore privacy rules unless necessary.

  • Return 200 only if condition met.

  • Use authentication in settings (not fully secure).

Protect backend workflows with user-side authentication:

  • For in-app calls via API Connector: send Authorization key (private parameter) and validate.

  • For frontend-scheduled workflows: store auth key in user, send as parameter, verify in workflow.

Option Sets

  • Never store sensitive data (always public).

Page Security

  • Avoid names like Admin or Secret (page names are public).

  • Delete/protect test pages.

  • Restrict page access via User Role conditions on page load.

API Connector

  • Use parameters for URLs instead of hardcoding.
    [url]/[call]

  • Clear test data from parameters.

3 Likes
2

How do the 3 tips under Inputs affect security?

3

This helps in preventing many injection-style attacks (SQLi, XSS, command injection), by limiting the character count and removing all unwanted special characters.

1 Like
4

But doesn’t Bubble already protect inputs against these types of attacks?

5

Kind of yes, but in case the app needs to be audited by some agency for some certification, they check these things,

So a good practice to have these.