What are Bubble security best practices?

The best practices specific to Bubble (not generic OWASP)

Every "security best practices" list tells you to use HTTPS and rotate keys. Those are table stakes. The list below is what actually matters for Bubble apps, based on the risks that appear in real Bubble deployments.

1. Configure privacy rules for EVERY data type in Data → Privacy

*Why:* Data types without privacy rules expose all data to all users. *Do this:* Configure privacy rules for EVERY data type in Data → Privacy.

2. Check 'This workflow requires authentication' on all API workflows

*Why:* API workflows are public by default—anyone can call them. *Do this:* Check 'This workflow requires authentication' on all API workflows.

3. Audit plugins

*Why:* Third-party plugins have access to your data with varying security. *Do this:* Audit plugins. Remove unused ones. Only use trusted developers.

4. Assume structure is known

*Why:* Network requests reveal database schema to inspecting users. *Do this:* Assume structure is known. Rely on privacy rules for security.

5. Move sensitive operations to backend workflows

*Why:* Workflow logic partially visible in browser developer tools. *Do this:* Move sensitive operations to backend workflows.

Verification

Even perfect best practices don't prove themselves — the only way to confirm the list above is implemented is to scan a deployed Bubble app. VAS probes each of privacy rules, api workflows, data security, plugin security by actually attempting the attack, not just reading headers or docs.