Bubble includes a variety of security checks designed to help keep your app secure. The specific security features available to you depend on your current subscription plan.

This article outlines which security features are included in each plan. For a more in-depth explanation of each feature, refer to the detailed descriptions provided at the bottom of the article (or follow the links in the tables below).

Flusk provides foundational security checks to safeguard your apps from common vulnerabilities. These checks, called “issues” in your dashboard, help identify essential risks and ensure a secure starting point. While the Starter plan includes only these basic checks, all other plans offer both basic and advanced security features for comprehensive protection.

Advanced security checks are designed to detect more complex vulnerabilities and potential threats to your app’s infrastructure. While Flusk can detect these issues regardless of your plan, detailed information is limited unless your plan includes advanced checks.

Overview

This check identifies cases where your app’s database privacy rules aren’t defined. Privacy rules control who can view, search, or modify specific data in your database. When privacy rules are missing, it increases the risk of exposing sensitive user information to unauthorized access, which could lead to data misuse.

Example

If no privacy rules are set for a user data type, anyone with access to the app could retrieve personal information through a search or API call.

Overview

Detects workflows that expose sensitive data (e.g., user IDs, emails, or financial information) in ways that unauthorized users could intercept or access. You can customize which fields data types are sensitive, or override any defaults.

Example

A workflow sends a user’s email address in a query string or includes it in logs visible in the browser’s developer tools,‌ exposing it to malicious actors.

Overview

Flags settings that allow sensitive data to be visible to app editors, risking accidental leaks or misuse during app development.

Example

An app editor sees confidential user data like purchase histories while debugging workflows, even though it’s unrelated to their tasks

Overview

Ensures that end-user password requirements are robust enough to prevent brute-force attacks or unauthorized access.

Example

A password policy that allows simple passwords like “12345” makes it easy for attackers to guess credentials and gain access.

Overview

Identifies test versions of the app that are accessible without proper authentication, exposing sensitive or unfinished features to the public.

Example

The test version of your app is live and accessible via a shared link, allowing unintended users to explore unreleased functionality or data.

Overview

Detects default admin credentials for your development version (e.g., “username”/“password”) that are easy to guess and compromise.

Example

An app’s admin panel uses default credentials, and an attacker gains access by guessing them.

Overview

Flags database fields marked as public that contain sensitive data, making them accessible to unauthorized users.

Example

A field storing user payment history is marked as public, allowing anyone with access to query this data.

Overview

Detects pages lacking end-user ‌server-side redirects, allowing unauthorized users to navigate to secure areas of the app. This includes verifying both frontend permissions and server-side redirects.

Example

A user without admin privileges manually enters the admin dashboard URL and gains access because no page-level restrictions are set.

Overview

Identifies unsecured database queries or structures that could expose data to unauthorized users.

Example

A search query in a public-facing workflow retrieves all users’ information without filtering for the current user.

Overview

Detects exposed or improperly secured API tokens, which could allow unauthorized access to external services.

Example

An API token for a payment service is visible in a browser’s developer tools, enabling attackers to misuse it

Overview

Flags improperly managed Bubble app collaborator roles that grant unwarranted permissions, risking accidental or malicious changes.

Example

A former freelancer still has access to your app and can modify workflows or view sensitive data.

Overview

Identifies unsecured API keys for Google Maps or similar services, which could lead to unauthorized usage or billing.

Example

Your public-facing app exposes a Google Maps API key, allowing attackers to use it for their projects, leading to unexpected charges.

Overview

Detects API calls that include sensitive data in plain text or unsecured formats.

Example

A call to a payment gateway includes the third-party API key and isn’t marked as hidden.

Overview

Flags URLs that include sensitive information (e.g., usernames or session tokens) which could be logged or intercepted.

Example

A session token appears in a URL shared with a third party, granting them unauthorized access to the user’s session.

Overview

Identifies backend workflows that lack authentication, making them vulnerable to unauthorized triggers.

Example

An attacker discovers and runs an API workflow that deletes records from your database.

Overview

Flags workflows that use temporary passwords without proper expiration or security measures.

Example

A user’s temporary password is generated on the client side, making it possible for an attacker to reset anyone’s password, including admins.

Overview

Detects exposed Swagger documentation that reveals sensitive API endpoints and operations.

Example

Swagger docs expose sensitive APIs, giving attackers a roadmap to exploit your app.

Overview

Flags file upload fields that allow anyone to upload files without restrictions, risking malicious file injections.

Example

A file uploader doesn’t link the file to a database entry, and therefore isn’t applying privacy rules.

Overview

Identifies picture uploaders that allow unrestricted uploads, which could result in misuse or security breaches.

Example

An image uploader doesn’t link the file to a database entry, and therefore isn’t applying privacy rules.

Overview

Detects iFrames that allow embedding from unauthorized domains, risking phishing or content hijacking.

Example

An attacker embeds your app in a malicious iFrame to harvest user inputs or mimic legitimate functionality.