Secure your app
This page lays out best practices when it comes to making your app and your data secure.
SSL ensures that the data transmitted between the server and the browser is encrypted - make sure to set it up by checking the box located in the
Settings > Domain/emailsection of the Bubble Editor.
Having robust privacy rules is essential in making sure that your server doesn't set data to a browser that the user is not supposed to see. See link below for more information about setting those up.
You shouldn't use a popup with the checkbox
This popup can't be closed by pressing Escto lock users out of pages. The reason is that those popups can be closed relatively easily using Developer Tools in the browser.
If your application needs to store very sensitive data, like Social Security numbers, credit card numbers, etc., you should probably not store those as plain text in the database. Bubble does encrypt all data at rest but if you've accidentally made your privacy rules more loose than they should be, someone may get a hold of your data. We would recommend encrypting the values that go into those sensitive fields yourself and then decrypting them before they're used.
Define a password policyfunctionality found in
Settings > Generalsection of the Bubble editor to set the minimum length, capital letter requirements, etc.
If you need to make an API call that uses a secret key or a token, make sure that it's not populated on any page but is instead in one of these 2 places:
- 1.In the API connector, marked as "Private"
- 2.In an API workflow
This will ensure that the user's browser never sees the API key/token.