Check you Bubble App security

If you want to check the security of your Bubble.io app then you can use the free Million Labs Bubble App Security Checker tool here

100% Secure?

One of the early questions we get asked when a startup founder is considering building in a no-code platform like Bubble.io is "is it secure?" Well let's explore the question.

I come from a cyber security background so can give a somewhat educated view on the topic, but first a caveat; no platform no-code or coded is 100% secure. Since nothing is 100% secure we are looking for a platform that has taken all reasonable steps to secure their platform.

Bubble.io is Software as a Service (SaaS) platform and that means that they provide you an environment with a database, content delivery network (caching), editor, backend server and file server. All this means you don't have to do all these things yourself, you can concentrate on building your app, which is the genius of no-code making it much quicker to build with.

Bubble Platform Security

Data - Bubble hosts the platform on Amazon Web Services (AWS), this is used by lots of startups. Your app data is encrypted in the database using AES-256, which would take millions of years to hack.

Code -Bubble uses penetration testing on its code base and application to ensure any security issues are picked up by them before code is released. This is a best practice approach and will reduce the chances of a security issue being introduced.

Compliance - There are various security & data compliance certifications such as ISO 27001, SOC 2 and specific regulation such as HIPAA (Health Insurance Portability and Accountability Act) for the medtech sector. To our knowledge Bubble itself as an organisation is not compliant with any Security certifications but some of the platforms they use are such as AWS. It does mean it would be difficult if not impossible to build a compliant App on top of Bubble. So if you need an App that complies with any of the security certifications then your only option currently is a Bubble.io dedicated instance where you can run it on your own AWS instance.

Your Bubble App

Just because a platform is secure does not mean your app is secure. A lot of the security control of your app is in your or you're developers control. We see way to many apps that look amazing but the developer didn't understand how to make a Bubble app secure and left it with lots of gaping holes.

Here are the basics of how to secure a Bubble App:

- Ensure the app is set to be a private app

- Ensure all Public API's are authenticated (unless they are webhooks)

- Keep the Bubble version up to date

- Keep plugins up to date

- Ensure all data types have privacy rules applied

- Don't store sensitive data in the database (i.e. credit cards)

- Ensure the front end enforces access control (i.e. user must be logged on to view this page)

These are the very basic things that you should do. If you follow these simple rules then you can create a secure Bubble app. If you want to check if your Bubble app is secure then use the free Million Labs Bubble App Security Checker tool here to check your app, the report will highlight potential security and performance issues.