Rate this page:
Building a Forge app brings with it new capabilities and responsibilities beyond those set out in the Cloud shared responsibility model.
We are developing a new native Node.js runtime to replace Forge's current runtime environment. This new runtime introduces several changes to the way security and egress controls work. Sandboxing and snapshots (including any related settings and restrictions) are no longer relevant in the new runtime as well. These changes may result in additional developer responsibilities to help uphold Forge's security.
This native Node.js runtime is available now as part of Forge's Early Access Program (EAP). For information about testing this new runtime, see Native Node.js runtime (EAP).
Forge’s EAP offers experimental features to selected users for testing and feedback purposes. These features are not supported or recommended for use in production environments. They are also subject to change without notice.
For more information, see Forge EAP, Preview, and GA.
For example, Forge apps can choose to implement one or more of the following capabilities, which change the division of security responsibilities between you and Atlassian.
Custom UI, which lets you define app user interfaces using static resources, such as HTML, CSS, JavaScript, and images.
UI kit, which lets you build intuitive and familiar app user interfaces by composing built-in Atlassian components.
Web triggers, which is a mechanism to invoke Forge applications through incoming HTTP calls.
This page is intended to help you understand your responsibilities when building and supporting a Forge app, and what responsibilities Atlassian takes care of. Also make sure you have read and are adhering to the Developer terms and Marketplace partner agreement.
Responsibility | Custom UI | UI kit | Web triggers |
---|---|---|---|
App elements | |||
Authentication of requests to the app | Atlassian | Atlassian | You |
Authorization of requests to the app | Atlassian & You | Atlassian & You | You |
Input validation and output encoding | You | Atlassian & You | You |
Application logic | You | You | You |
Application framework | Atlassian & You | Atlassian | Atlassian |
Data storage | Atlassian & You | Atlassian & You | Atlassian & You |
Software development lifecycle (SDLC) activities | Atlassian & You | Atlassian & You | Atlassian & You |
Tenant safety | Atlassian | Atlassian | Atlassian |
Operational elements | |||
Logging | Atlassian & You | Atlassian & You | Atlassian & You |
Monitoring and alerting | Atlassian | Atlassian | Atlassian |
Network security | Atlassian | Atlassian | Atlassian |
Runtime/Server security | Atlassian | Atlassian | Atlassian |
Vulnerability management and disclosure | Atlassian & You | Atlassian & You | Atlassian & You |
Bug bounty | Atlassian & You | Atlassian & You | Atlassian & You |
Security incident response | Atlassian & You | Atlassian & You | Atlassian & You |
Disaster recovery | Atlassian & You | Atlassian & You | Atlassian & You |
Security features | |||
User identity and access management | Atlassian | Atlassian | Atlassian |
DoS protection | Atlassian | Atlassian | Atlassian |
Abuse prevention | Atlassian & You | Atlassian & You | Atlassian & You |
Ensure that every request made to the application is sufficiently authenticated.
Your responsibilities:
Atlassian's responsibilities:
Ensure that every request made to the application is sufficiently authorized.
Your responsibilities
asUser()
whenever you are performing an operation on behalf
of a user. This ensures your app has at most the permissions of
the calling user.asApp()
, you must verify expected permissions
(for example, from product context) with the permissions REST APIs
before making the request.Atlassian's responsibilities
asUser()
calls before invoking your Forge application.Ensure sufficient input validation and output encoding is applied within the application.
Your responsibilities
Atlassian's responsibilities:
Your responsibilities
Ensure the framework used to build apps is free of security bugs, and fixes are delivered in line with Atlassian's security bug fix policy SLOs.
Your responsibilities:
Atlassian's responsibilities
Ensure that data is appropriately stored and read by your app.
Your responsibilities
Atlassian's responsibilities
Apply secure software development practices when building and maintaining your app.
Your responsibilities
Atlassian's responsibilities
Your responsibilities
Atlassian's responsibilities
Atlassian's responsibilities
Atlassian's responsibilities
Atlassian's responsibilities
Your responsibilities
Atlassian's responsibilities
Your responsibilities
Atlassian's responsibilities
Your responsibilities
Atlassian's responsibilities
Your responsibilities
Atlassian's responsibilities
Atlassian's responsibilities
Atlassian's responsibilities
Your responsibilities
Atlassian's responsibilities
Rate this page: