Securing Sensitive Installation Parameters

Rohit Eddy
Freshworks Developer Platform Blog
2 min readJul 28, 2018

Apps that integrate with third-party systems usually have to make API calls to these systems to retrieve or modify data. This requires sensitive information, such as API keys, usernames, and passwords, which users enter when installing apps.

The Freshworks Marketplace platform secures all installation parameters (iparams) by taking the following precautions:

  • Encrypting all iparams before storing them in our database. The iparams are not shared with the app developer.
  • Hosting the database in the same region as your account to ensure GDPR compliance.
  • Ensuring that iparams are accessible only to the appropriate instance of the app.

Note: Ensure that all apps (including custom apps) use iparams to retrieve sensitive information so as to benefit from the aforementioned precautions.

However, if iparams are retrieved in the front-end component of the app to make API calls, then it is possible for an app user to view these parameters via the browser console. One way to avoid this is to include a serverless component and make all API requests from there. This can be achieved using server method invocation. which is a rather cumbersome workaround.

We have added support for secure installation parameters from v4.3.8 of the CLI. If you are using standard installation pages, you can mark an iparam as secure by following the format shown below.

{      
"apiKey":
{
"display_name": "Api Key",
"type": "text",
"required": true,
"secure": true
}
}

If you are using a custom installation page, you can mark iparams as secure by including them in a secure array when the app’s postConfigs method returns the list of iparams.

return {       
__meta: {
secure: ["api_key"]
},
api_key
}

Secure iparams cannot be accessed in the front-end component of the app; attempting to do so will result in an error. They have to be used in conjunction with the Request API as shown below.

var headers = {"Authorization": "Basic <%= encode(iparam.api_key) %>"};

We hope this change helps you deliver high quality apps that are compliant with the highest security standards.

Please reach out to us at marketplace@freshworks.com if you have any questions about this update. \

--

--

Freshworks Developer Platform Blog
Freshworks Developer Platform Blog

Published in Freshworks Developer Platform Blog

The official Freshworks Developer Platform Blog. We cover platform updates, developer showcases, tutorials, how-tos and much more

Rohit Eddy
Rohit Eddy