Security and Quality Standards
This document describes the quality and security expectations of apps developed for the Happeo platform. These guidelines must be applied before deploying the app.
Note that the guidelines apply to both the frontend and backend components of the custom apps, even when the backend components may not be deployed in Happeo infrastructure.
Security Standards
Security is our responsibility
At Happeo we take security seriously. Apps that do not follow the security and quality standards will not be listed in the Happeo App marketplace.
✓ No secrets in code
Do not hard code any credentials or secrets in the App widget code. The javascript bundle is publicly available.
✓ No secrets in settings
The settings for a widget stored by a page are not protected. Therefore, app developers must ensure that they do not use the widget settings to store any sensitive information. For such information, developers must develop their own backend service to store the sensitive information in an appropriate secret storage.
✓ No secrets in content
The content for a widget stored in a page is not protected. In fact it is indexed and available for searching. Therefore, app developers must ensure that they do not use the widget content to store any sensitive information. For such information, developers must develop their own backend service to store the sensitive information in an appropriate secret storage.
✓ Calls to the backend are verified
If the App Widget makes HTTP requests to a backend, it must retrieve a JWT from the widget SDK and send it along with the request. The backend must validate the JWT before processing the request.
In case of a Search app, Happeo will automatically add a JWT to each HTTP request sent to the search app. The app must validate the JWT before processing the request.
The JWT is signed by a shared secret when the app is added to Happeo from the Admin UI. This secret must be kept confidential and protected all the time.
To know more about how the authentication works, refer to the article on using external data sources.
✓ No calls to Happeo's internal APIs
The App widget should not make calls to the Happeo internal API in order to prevent unauthorised access to data. We will reject app submissions to the marketplace if there are illegitimate calls made to the Happeo internal API. Administrators of custom Apps must make sure to check the source code for this violation.
✓ Not vulnerable to known security threats
The app developers must ensure that their app is not vulnerable to any known security threats, with particular focus on the OWSAP Top 10.
Quality Standards
Great quality equals customer satisfaction. Let's strive for that!
✓ App metadata on marketplace is up to date.
The App’s name, description, preview content, support links, etc. must be provided.
The app name must be in title case (each word's first letter capitalized).
The description should mention release notes of the last release briefly.
The visuals must briefly highlight the functionality and the value provided by the app.
✓ Code aligns with the description
The developer must ensure that the app functionality is only what it says in the description.
✓ Design aligns with Happeo UI
The app UI must align with Happeo’s design. It is recommended to use the Happeo UI Kit.
✓ Clean code
Write easy to understand code, comment wherever necessary
Do not minify the code
Add a README.md to explain at least the below:
- Widget functionality
- Widget setup
- Build and Test
✓ Functionality is tested thoroughly
The app developer must write test cases for each functionality exposed to the user. It is recommended to write test cases that test backwards compatibility. This is one of the ways we ensure quality.
✓ Licensing
The app as well as all its dependencies must allow commercial use as the app bundle is deployed in our CDN and used in Happeo.
✓ Backwards compatible
All updates to an app must be backwards compatible. This means existing app widgets added to pages must work.
If it is impossible to make a backwards compatible update, then the only option is to create a new app.
✓ Widget SDK is initialized
App must initialize the widget SDK even if the API is not used. This can be done as follows:
const widgetApi = await widgetSDK.api.init(uniqueWidgetId)
✓ No hidden content stored in widget contents
The widget contents are supposed to be viewed by widget viewers and hence developers must not store any hidden information there.
✓ No hidden content stored in widget settings
The widget settings are supposed to be viewed by widget viewers and hence developers are recommended to not store any hidden information there. It is okay, however, to store configuration computed from the settings declared by the widget.
✓ Build, test, package is successful
Apps that do not build, test or package are rejected.
✓ Bundle size is small
The bundle size must be kept as small as possible. Happeo provides react, react-dom, styled-components, and happeouikit components, which must therefore be externalized.
✓ App backend must be highly available
If the App uses a backend, it must be highly available and fault tolerant.
Updated over 1 year ago