Bubble.io is a pioneering low-code platform for creating professional web applications. After building your application it can be tempting to release your site without giving much thought to some of the features hidden in the “Settings” and “Data” tabs. Bubble offers many excellent features that will improve your site's reach, security and professionalism. It would be foolish not to make the most of them!
One powerful feature that is usually overlooked by new ‘Bubblers’ is the “Privacy” tab under the “Data” section. This feature allows developers to define which users can view different “Data types” and removes them from queries for prohibited users.
This might seem like overkill but as your project develops it is easy to accidentally expose data sources which might be exploitable. Proper “Privacy” rules act as a last line of defence and can prevent a damaging data leak.
It is also best practice to make sure you are using ‘The Principle of Least Privilege’. This means that you restrict users to only access exactly what they need and nothing more. I would recommend starting using “Privacy” rules early in your development process and you should definitely have these in place before onboarding real users.
When building a website it is important the user interface is functioning on all devices, not just the device it was designed on. I would recommend that you enable the developer settings on your favourite browser and use the responsiveness testing features to try your site on multiple devices and screen sizes.
Bubble has recently been beta testing a “Responsive” feature on the “Design” panel. Although it can be confusing to use at first, it is worth the investment. This feature can be used to fine-tune your “Responsive” design.
Unfortunately, many templates were built prior to the “Responsive” feature and it is rarely worth migrating them yourself. For these templates, you will have to pay attention to how the template manage “Responsiveness” and attempt to tweak it if you experience any issues.
All Bubble apps start out life under an HTTPS subdomain on bubbleapps.io. As your project grows, however, it is likely you want it to be accessible under your own domain (e.g., sciamachy.io). Bubble makes it easy to migrate to your custom domain under “Settings” within the “Domain / email” tab.
If you enable a custom domain, but do not issue the SSL certificate, your domain will not have HTTPS and on most browsers, users will get a message saying something like “The Connection Is Not Private”. Aside from deterring users, this means that your site is not secure and could lead to sensitive unencrypted data being intercepted. Bubble makes it incredibly easy to issue an SSL certificate under the “Domain / email” tab “SSL encryption (HTTPS)”.
Unless you have a strong reason, it is recommended that you select “Block all frames” in the “Settings” panels under the “General” tab. iFrames are HTML elements that allow you to load another page within a document and it is best practice to prevent people from being able to do this as it can be abused in phishing scams and other attacks.
Another important feature to ensure that you have configured correctly is the various password settings. These are all controlled under the “Settings“ panel within the “General” tab.
Firstly, you should ensure that you have enabled the box “Define a password policy”. It is recommended to require users to have complex passwords, however, ensure that these policies are clearly stated when users sign up. It is best practice to enable “Active two-factor authentication” as this helps to keep user accounts safe and reduces future issues with user accounts being compromised.
Finally, if you are making a public app that will be accessible over the internet I would recommend enabling “Limit access to this app with a username and password” and then selecting “Only apply in Development mode”. This means that your development environment will be password protected. If people realise you are using Bubble, then you don’t want them looking at the development app by changing the URL to include “/version-test”.
One of the small but important final details you want to ensure you add to your site is the favicon, the picture in the browser tabs. This is easy to add under the “Settings“ panel within the “General” tab. You can upload a picture and Bubble will do the rest. One thing to note, favicons are notoriously fiddly so you should look at your site in incognito mode to confirm that it has changed.
When people share your site on the internet or find it via a search engine they will see text and a thumbnail describing your site. These are metatags and it is worth changing these to your site otherwise people will only see the Bubble placeholder metatags.
It might sound obvious but you should also check that your current Bubble plan has all the requirements you need before you release your application. In particular, different plans limit the number of database entries you have available and the last thing you want is for your site to go viral and then not to be able to accept more users due to this limitation!