Security & Privacy
Password policy
Bubble allows you to set up a password policy for user sign up. Stick to password best practices and force your users to create a secure password. The User Access Management element has a password validation workflows so users understand if their password is secure enough.
Limit access to your app with a password
By default, Bubble requires a username and password to preview the development version of your app. It's a good practise to create a secure username and password during the development of your application. When someone knows the Bubble app name of the application you are developing, he or she can access the development version as you are building you app. You would want to avoid this for obvious reasons.
Redirect rules
You may want to limit access to certain app pages for specific users or user roles. By setting up a User Role on your users you can create workflows on your pages to redirect users away from that page. You can also use the 'user is logged in' or 'not logged in' expression to prevent users from accessing pages or content they should not have access to.
As the page can load data for a brief moment the user navigates to it, you can add additional security on your content groups, unhiding it for certain users.
There is a dedicated reusable element (Security Redirect) to handle redirects, you can read more about it in this section.
Workflow API
When you use API/backend workflows, the endpoints you create can be accessed publicly unless you specify otherwise.
Expose as public endpoint
When an outside service needs access to your application, check this box. Otherwise the endpoint will never be visible from outside your application. If you create an API workflow for internal use only, you can uncheck this box.
Run without authentication
Your app has a private key that you can use to sign API requests. If you want a service or user to run the workflow without authentication (non-logged in), check this box. If you need to expose your public endpoint there are multiple ways you can secure it. Read more about how to authenticate your endpoints in this section.
Ignore privacy rules
If you want the workflow to run as an 'Admin' user, having access to all data, check this box. Be very careful with this checkbox as it could potentially allow outside services access to running workflows that could potentially harm your application.
Privacy Rules
Privacy rules basics:
View all fields: If unchecked User will not be able to read/display the field in UI and in workflows.
Find this in searches: Limitation applies to do a search for repeating groups but if you use single Unique Id e.g. when displaying Product details then he will be able to access that data (only when he can view those fields)
Exposing data without having privacy rules setup will allow 3rd parties to easily access data.
Authenticating webhooks: see article → API's endpoints Authentication
Advanced:
If element referring to the data point is not rendered on the page data is not loaded on the page. The exception of this rule is loading data in repeating groups - even if the data is not displayed in repeating group, it is loaded on the page. Keep this in mind when creating privacy rules.
As we do work a lot with repeating groups keep in mind that Privacy rules can break the ‘auto-refreshing’ of data on the page.
For example: If you give access to data type on page load, the page needs to be refreshed for Bubble to fetch the data again, now under different privacy rules.
Also Privacy rules block access from accessing that data, but they sometimes show empty cells in repeating group etc. Best practice is to setup searches with constraints and privacy rules at the same time.
File security
If you store files with sensitive information - you need to attach the images to datatypes for best file security. From Bubble manual:
This option is only visible if 'Make this file private' is selected. Private files uploaded with this element are permanently attached to a thing, which is used to determine who has access to view the file. Only users who have the 'View attached files' permission for that thing can view the file. Go to the Privacy section to create privacy rules that grant this permission. If the value of 'Attach this file to' is empty or the thing does not exist, the file will be visible to anyone who has the link, which is the same as if 'Make this file private' was not selected
Files that are not attached to an object and exposed long enough will be vulnerable to a data breach.
Last updated