Hi @Bubble / @emmanuel

I’m in the verge of lauching a new app and it’s being assessed by the security team of my client. We had a lot of complains about the lack of HSTS in Bubble, making it possible to execute Man In The Middle Attacks.
Where can I set for such headers to be sent in every single response out from Bubble?

Hi there @leonardo.cardoso,

Here’s some info on Bubble and it’s security protocols: Security | Bubble

For specifics, I’d send them an email at support@bubble.io

1 Like

Hi @johnny

I’ve sent the same informations to security and support, still waiting for any response

Any luck on how to accomplish this yet? Seems like it could be an important security practice.

It is. I reported this to Bubble Support and Security Team, this is their response:

Hello Leonardo,

Thanks for reaching out! Our team takes security very seriously, and we definitely understand your concerns regarding lack of HSTS. While there currently isn’t a way to add this header yourself, I’ve shared your feature request with our engineering team for their evaluation. I will follow up with you if the team determines that this is something that is feasible for them to implement at this time.

Please let us know if you have any additional questions in the meantime.


Soo, yeah, Bubble doesn’t have HSTS Headers, kind sad because this sums up with other security failures that you can find out in Bubble, like the Airtable API calls that are made in front-end leaving all data exposed for anyone that can press F12 in their browser.

That’s too bad, it seems like it would be easy enough for us to add it to the Header section manually.

Here is the link where it checks for this and other security issues: https://securityheaders.com/

If someone has any other suggestions, please let us know.

This and something else has been noodling around in my mind for a while, this

  • HSTS and being able to manage the HTTP headers,
  • putting bubble, weblflow, x,y,z all behind a proxy so they are served from the same domain for SEO reasons
  • IP restrictions
  • WAF
  • Just having a better security story

all have me thinking about putting Bubble behind a proxy like Nginx, Cloudflare … others have tried and given up …

I just lost a client for a project.

They made an assessment of the app and found some issues, their compliance team required HSTS headers for security reasons. Some stuff went fine, but the lack of HSTS and problems with /fileupload endpoint, after that they changed their minds.

Kinda hurts.

Hi @leonardo.cardoso ,
I’m close to having a solution for this problem, ie fixing Bubble to have the correct headers etc etc (by having Bubble behind a proxy that “fixes” all the security requirements.)

Other than HSTS headers - were there any other security requirements you couldn’t meet? I want to see if I can “fix” them all with a proxy setup. :slight_smile:


with nocodemayo.com you get hsts and security headers for only 5 dollars a month

any solution?

can you send me your e-mail?

I would like to know more about this plugin.