Bubble.io Privacy Rules Made Easy

Also available in :


Victor Nihoul


May 2, 2023


🇬🇧 English

Setting up privacy rules for your Bubble.io app can be challenging, tedious, and let's face it, not everyone's favorite task.

In this article, we'll introduce you to our new, free AI Privacy Rules Checker, which will help you define your Privacy Rules more effectively. Plus, we'll provide additional context on how database security works in Bubble.

Understanding Database Security in Bubble.io

‍A common misconception is that your database remains secure as long as you don't expose it via the Data API and avoid querying/searching entries from unsecured areas of your app (e.g., pages accessible by non-logged in users). Unfortunately, this is not true, and such beliefs may lead Bubble developers to create unsecured apps.

The key to maintaining database security lies in Privacy Rules. Even if your Data API is not open and you're not executing queries in unprotected parts of your app, your database remains accessible. This is due to the technical necessity for your Bubble app to function. If users need to search and access the database from your app, there must be an endpoint where the database can be retrieved, and only then do the Privacy Rules apply.

In essence, every Bubble app has a public API endpoint for directly querying your database, with no authentication or token required. The only security barrier in place is your Privacy Rules.

Is There a Security Vulnerability in Bubble?

No, the approach above is standard practice, and Bubble's endpoints are adequately secured. The Privacy Rules offer the flexibility and power needed to fully secure your app's data.

While some argue that Bubble should be more proactive and explicit about security, in our opinion, Bubble provides sufficient reminders and defaults (such as popups to define your Privacy Rules and default Privacy Rules applied to the User database).

Effective Privacy Rules Definition: Key Requirements

An effective Privacy Rules definition should meet the following criteria:

  • Ensure that your databases are never accessible unless they are fully public (e.g., a blog)
  • Prevent users from accessing more data about other users than absolutely necessary
  • Do not rely on the "User is logged in" expression if everyone can sign up for your app

How Can You Verify Your Privacy Rules?

Another challenge is determining whether your privacy rules are functioning correctly. One method is to create a test page with repeating groups for each of your data types. Log in as different users and test your Privacy Rules with various roles to see which data is properly displayed or hidden.

While this method is straightforward, it can be difficult to maintain or implement in larger apps. If you choose this approach, be sure to secure your test page. Our free 2023 Security Cheat Sheet also covers how to build secure pages.

To simplify this testing process, we have developed a free online tool that can directly query your database and reveal any data leaks in your app, along with contextual example data.

Using our AI Privacy Rules Checker

Privacy Rules Checker

‍Access the tool here and enter your app URL or ID to run a test. Within a few minutes, you'll see your app's various databases and their security levels. If any data leaks are detected, the tool will display the affected fields and provide example data.

The public version of the tool tests your live database as a non-logged in user, so the results accurately reflect your app's publicly available data.

Once you have identified any leaks, adjust your Privacy Rules expressions and settings, deploy the changes, and run a new test to confirm that the leaks have been resolved.

Additional Resources

To delve deeper into Bubble's security features and learn how to build secure apps, we highly recommend reading our 2023 Security Cheat Sheet, it's a free 70 pages e-book with everything you need to know about security.