For example, Forge apps can choose to implement one or more of the following
capabilities, which change the division of security responsibilities between
you and Atlassian.
Custom UI, which lets you define app user interfaces using
UI kit (beta), which lets you build intuitive and familiar
app user interfaces by composing built-in Atlassian components.
Web triggers (beta), which is
a mechanism to invoke Forge applications through incoming HTTP calls.
This page is intended to help you understand your responsibilities when
building and supporting a Forge app, and what responsibilities Atlassian
takes care of. Also make sure you have read and are adhering to the Developer terms and Marketplace partner agreement.
Encode all output. Ensure
data is treated as data and not as code
, especially in different browser contexts. This includes data you may get
back from Atlassian's APIs, as the required output encoding depends on
how the data is being used in your app.
Appropriately encode all HTML output for UI kit components.
Ensure that data is appropriately stored and read by your app.
Ensure that sensitive security data, such as pre-shared keys, API keys, or
encryption keys are not hardcoded in the source code. Secure storage,
such as encrypted environment variables, should be used to supply keys
Ensure that keys are rotated on a regular basis. You should rotate
sensitive API keys at least every 90 days.
Encrypt data at rest for data stored within Forge app storage.
Segregate data storage to prevent cross-tenant access. This includes Forge app storage.