Security and Quality Standards

This document describes the quality and security expectations of apps developed for the Happeo platform. These guidelines must be applied before deploying the app.

Note that the guidelines apply to both the frontend and backend components of the custom apps, even when the backend components may not be deployed in Happeo infrastructure.

Security Standards

🚧

Security is our responsibility

At Happeo we take security seriously. Apps that do not follow the security and quality standards will not be listed in the Happeo App marketplace.

✓ No secrets in code

Do not hard code any credentials or secrets in the App widget code. The javascript bundle is publicly available.

✓ No secrets in settings

The settings for a widget stored by a page are not protected. Therefore, app developers must ensure that they do not use the widget settings to store any sensitive information. For such information, developers must develop their own backend service to store the sensitive information in an appropriate secret storage.

✓ No secrets in content

The content for a widget stored in a page is not protected. In fact it is indexed and available for searching. Therefore, app developers must ensure that they do not use the widget content to store any sensitive information. For such information, developers must develop their own backend service to store the sensitive information in an appropriate secret storage.

✓ Calls to the backend are verified

If the App Widget makes HTTP requests to a backend, it must retrieve a JWT from the widget SDK and send it along with the request. The backend must validate the JWT before processing the request.

In case of a Search app, Happeo will automatically add a JWT to each HTTP request sent to the search app. The app must validate the JWT before processing the request.

The JWT is signed by a shared secret when the app is added to Happeo from the Admin UI. This secret must be kept confidential and protected all the time.

To know more about how the authentication works, refer to the article on using external data sources.

✓ Not vulnerable to known security threats

The app developers must ensure that their app is not vulnerable to any known security threats, with particular focus on the OWSAP Top 10.

Quality Standards

📘

Great quality equals customer satisfaction. Let's strive for that!

✓ App metadata on marketplace is up to date.

The App’s name, description, preview content, support links, etc. must be provided. The description should mention release notes of the last release briefly. There must be multiple app visuals present in the marketplace.

✓ Code aligns with the description

The developer must ensure that the app functionality is only what it says in the description.

✓ Design aligns with Happeo UI

The app UI must align with Happeo’s design. It is recommended to use the Happeo UI Kit.

✓ Clean code

Write easy to understand code, comment wherever necessary

Do not minify the code

Add a README.md to explain at least the below:

  • Widget functionality
  • Widget setup
  • Build and Test

✓ Functionality is tested thoroughly

The app developer must write test cases for each functionality exposed to the user. It is recommended to write test cases that test backwards compatibility. This is one of the ways we ensure quality.

✓ Licensing

The app as well as all its dependencies must allow commercial use as the app bundle is deployed in our CDN and used in Happeo.

✓ Backwards compatible

All updates to an app must be backwards compatible. This means existing app widgets added to pages must work.

If it is impossible to make a backwards compatible update, then the only option is to create a new app.

✓ Widget SDK is initialized

App must initialize the widget SDK even if the API is not used. This can be done as follows:

const widgetApi = await widgetSDK.api.init(uniqueWidgetId)

✓ No hidden content stored in widget contents

The widget contents are supposed to be viewed by widget viewers and hence developers must not store any hidden information there.

✓ No hidden content stored in widget settings

The widget settings are supposed to be viewed by widget viewers and hence developers are recommended to not store any hidden information there. It is okay, however, to store configuration computed from the settings declared by the widget.

✓ Build, test, package is successful

Apps that do not build, test or package are rejected.

✓ Bundle size is small

The bundle size must be kept as small as possible. Happeo provides react, react-dom, styled-components, and happeouikit components, which must therefore be externalized.

✓ App backend must be highly available

If the App uses a backend, it must be highly available and fault tolerant.