Secure your app

This page lays out best practices when it comes to making your app and your data secure.

Enable SSL

SSL ensures that the data transmitted between the server and the browser is encrypted - make sure to set it up by checking the box located in the Settings > Domain/email section of the Bubble Editor.

Create privacy rules

Having robust privacy rules is essential in making sure that your server doesn't set data to a browser that the user is not supposed to see. See link below for more information about setting those up.

No lock-out popups

You shouldn't use a popup with the checkbox This popup can't be closed by pressing Esc to lock users out of pages. The reason is that those popups can be closed relatively easily using Developer Tools in the browser.

Don't store sensitive data in an unencrypted format

If your application needs to store very sensitive data, like Social Security numbers, credit card numbers, etc., you should probably not store those as plain text in the database. Bubble does encrypt all data at rest but if you've accidentally made your privacy rules more loose than they should be, someone may get a hold of your data. We would recommend encrypting the values that go into those sensitive fields yourself and then decrypting them before they're used.

Set minimum password requirements

Use the Define a password policy functionality found in Settings > General section of the Bubble editor to set the minimum length, capital letter requirements, etc.

Don't use private API keys/tokens on the page

If you need to make an API call that uses a secret key or a token, make sure that it's not populated on any page but is instead in one of these 2 places:

  1. In the API connector, marked as "Private"

  2. In an API workflow

This will ensure that the user's browser never sees the API key/token.

Last updated