Instructions & Guidelines

Security requirements

Authentication & authorization

An add-on must authenticate and authorize every request on all endpoints exposed. Anonymous access to application endpoints and resources can be allowed in scenarios where it is needed.

Data protection

  1. Any End User Data stored by an application outside of the product or users’ browser must ensure full disk encryption at-rest. If accessed by an application or a service, it should be authenticated and authorized appropriately.
  2. An application must use TLS version 1.2 (or higher) to encrypt all of its traffic, and enable HSTS with a minimum age of one year.
  3. An application must follow the “Principle of Least Privilege”, when requesting app scopes. This means that an application should only request scopes required to perform its intended functionality, and nothing more.
  4. An application must securely store and manage secrets, which include OAuth tokens,  sharedSecret, API keys, and encryption keys. They cannot be stored in places that are easily accessible. Examples of places include:
  • Source code and code repository tools, such as Bitbucket and Github
  • URL strings
  • Referer headers
  • Application logs

Application security

  1. An application must maintain and securely configure domains where the application is hosted.
  2. When applicable, an application must enable security headers and cookie security attributes.
  3. An application must validate and sanitize all untrusted data and treat all user input as unsafe to mitigate injection-related vulnerabilities. Untrusted data is any input that can be manipulated to contain a web attack payload.
  4. An application must not use versions of third-party libraries and dependencies with known critical or high vulnerabilities. When vulnerabilities in these libraries and dependencies are discovered, application developers must remediate them as quickly as possible.


  1. An application must not collect or store credentials belonging to user accounts such as user passwords or user API tokens.

Vulnerability management

  1. You must notify of all security incidents via
  2. Your account email will be taken as a security contact where you’ll be notified about vulnerabilities in the app.