I’m in the verge of lauching a new app and it’s being assessed by the security team of my client. We had a lot of complains about the lack of HSTS in Bubble, making it possible to execute Man In The Middle Attacks.
Where can I set for such headers to be sent in every single response out from Bubble?
Hi there @leonardo.cardoso,
Here’s some info on Bubble and it’s security protocols: Security | Bubble
For specifics, I’d send them an email at support@bubble.io
1 Like
Hi @johnny
I’ve sent the same informations to security and support, still waiting for any response
Any luck on how to accomplish this yet? Seems like it could be an important security practice.
It is. I reported this to Bubble Support and Security Team, this is their response:
Hello Leonardo,
Thanks for reaching out! Our team takes security very seriously, and we definitely understand your concerns regarding lack of HSTS. While there currently isn’t a way to add this header yourself, I’ve shared your feature request with our engineering team for their evaluation. I will follow up with you if the team determines that this is something that is feasible for them to implement at this time.
Please let us know if you have any additional questions in the meantime.
Best,
Soo, yeah, Bubble doesn’t have HSTS Headers, kind sad because this sums up with other security failures that you can find out in Bubble, like the Airtable API calls that are made in front-end leaving all data exposed for anyone that can press F12 in their browser.
That’s too bad, it seems like it would be easy enough for us to add it to the Header section manually.
Here is the link where it checks for this and other security issues: https://securityheaders.com/
If someone has any other suggestions, please let us know.
This and something else has been noodling around in my mind for a while, this
- HSTS and being able to manage the HTTP headers,
- putting bubble, weblflow, x,y,z all behind a proxy so they are served from the same domain for SEO reasons
- IP restrictions
- WAF
- Just having a better security story
all have me thinking about putting Bubble behind a proxy like Nginx, Cloudflare … others have tried and given up …
I just lost a client for a project.
They made an assessment of the app and found some issues, their compliance team required HSTS headers for security reasons. Some stuff went fine, but the lack of HSTS and problems with /fileupload endpoint, after that they changed their minds.
Kinda hurts.
Hi @leonardo.cardoso ,
I’m close to having a solution for this problem, ie fixing Bubble to have the correct headers etc etc (by having Bubble behind a proxy that “fixes” all the security requirements.)
Other than HSTS headers - were there any other security requirements you couldn’t meet? I want to see if I can “fix” them all with a proxy setup. 
Thanks
Lindsay
with nocodemayo.com you get hsts and security headers for only 5 dollars a month
any solution?
can you send me your e-mail?
I would like to know more about this plugin.
Still no update on this, crazy.
Hi all - Just another bump on this as I’m facing this issue related to a Zoom SDK review process. Has anyone made any progress or found any workarounds? Thanks
Is this solved?
Hi @matthew18, I’m also trying to add zoom sdk and faced the same issue. Did you find any workarounds?
Hi @prograds and @dev124 - not solved unfortunately. I’ve pasted Bubble support’s response to me below for information.
In the ended, this wasn’t a show stopper for me as this particular part of the application wasn’t necessary for our use. Hope it’s also a nice-to-have for your use cases.
— Bubble Support Response —
Thanks for reaching out.
Currently, Bubble does not expose a setting that allows you to configure Content-Security-Policy headers directly. However, users have found a workaround by changing the X-Frame-Options setting in their app to “Block all frames” to address some security concerns. This setting can be found in Settings → General.
It’s important to note that the Bubble team is aware of the missing headers issue, but it is considered low-priority with no immediate plan to resolve it. This is because enabling these headers platform-wide could potentially break site functionality, and the task of updating the Content-Security-Policy header is complex due to its impact on site architecture. Nevertheless, it has been added as a project to Bubble’s roadmap.
1 Like
@Bubble adding onto this thread to reinforce the request — I also have a prospective client who expects HSTS and more restrictive Content Security Policy headers. Please make this available or resolve the problems associated with enabling Cloudflare’s proxy feature.
1 Like
Best to tag @fede.bubble
thanks, I’ve send this to the security team so they can take a look
1 Like