Security

Apps SDK – Security & Privacy

Best practices: least privilege, consent, logging, CSP, and network access.

Overview

Security and privacy best practices for Apps SDK development, covering principles like least privilege, explicit user consent, and defense in depth. The guide addresses data handling, prompt injection prevention, write action security, and network access restrictions within the sandboxed iframe environment.

Key Points

Least privilege principle for scopes and permissions

Explicit user consent for account linking and write access

Defense in depth against prompt injection attacks

Proper data handling and PII redaction in logs

Input validation and human confirmation for destructive actions

Content Security Policy restrictions for widget iframes

Prerequisites

Understanding of web security principles

Knowledge of OAuth and authentication flows

Familiarity with Content Security Policy

Basic understanding of data privacy regulations

Step-by-Step Guide

1Implement least privilege access controls

2Set up explicit user consent flows

3Validate all inputs server-side

4Redact PII from logs and audit trails

5Require human confirmation for destructive operations

6Test for prompt injection vulnerabilities