How to secure a Bubble app

To secure a Bubble app, you must rely on Privacy Rules in the Data tab, protect all sensitive actions with “Only when” conditions, avoid exposing data in searches unless allowed by privacy, and move anything sensitive to backend workflows. These four parts cover almost every real security risk in Bubble.

Use Privacy Rules (the core security layer)

Privacy Rules define which data a user is allowed to see. They apply before any workflow runs, even before page loads. This prevents accidental data leaks through searches, inspector tools, or API calls.

• Create rules for each Data Type (like User, Order, Message).
• Use roles like This User is Current User or custom yes/no fields.
• Uncheck Find in searches when the user shouldn’t see a record at all.
• Do not rely on hiding UI — privacy rules decide what’s actually sent to the browser.

Move sensitive operations to Backend Workflows

Backend workflows run on the server and keep data hidden from the browser. Use them for things like creating payments, modifying another user's data, or receiving webhooks.

• Enable Backend workflows in Settings → API.
• Call backend workflows from the page using "Schedule API workflow".
• Never run critical logic in "When button is clicked" if it edits protected data.

Protect workflows with “Only when”

Every workflow step has an Only when field. This prevents actions like editing another user's data or creating objects a user shouldn't create.

• Add checks like Current User is logged in or Current User’s role is Admin.
• Use constraints like Thing’s owner = Current User.

Avoid leaking sensitive data in searches

Bubble sends search results to the browser. Even if the group is hidden, the data is visible through browser tools unless privacy rules block it.

• Never use searches that return unrestricted User data.
• Do not load “everything” for convenience — always filter.
• Use privacy rules to control fields visible such as email, phone, roles.

Secure API endpoints

If you expose API endpoints, protect them.

• Use API keys or “This workflow can be run without authentication = no”.
• Validate received data before making changes.

// Example of secure backend workflow constraint
Only when: Current User's is_admin is "yes"