Rate this page:
Building a Forge app brings with it new capabilities and responsibilities beyond those set out in the Cloud shared responsibility model.
For example, Forge apps can choose to implement one or more of the following capabilities, which change the division of security responsibilities between you and Atlassian.
Custom UI, which lets you define app user interfaces using static resources, such as HTML, CSS, JavaScript, and images.
UI kit, which lets you build intuitive and familiar app user interfaces by composing built-in Atlassian components.
Web triggers, which is a mechanism to invoke Forge applications through incoming HTTP calls.
This page is intended to help you understand your responsibilities when building and supporting a Forge app, and what responsibilities Atlassian takes care of. Also make sure you have read and are adhering to the Developer terms and Marketplace partner agreement.
Responsibility | Custom UI | UI kit | Web triggers |
---|---|---|---|
App elements | |||
Authentication of requests to the app | Atlassian | Atlassian | You |
Authorization of requests to the app | Atlassian & You | Atlassian & You | You |
Input validation and output encoding | You | Atlassian & You | You |
Application logic | You | You | You |
Application framework | Atlassian & You | Atlassian | Atlassian |
Data storage | Atlassian & You | Atlassian & You | Atlassian & You |
Software development lifecycle (SDLC) activities | Atlassian & You | Atlassian & You | Atlassian & You |
Tenant safety | Atlassian | Atlassian | Atlassian |
Operational elements | |||
Logging | Atlassian & You | Atlassian & You | Atlassian & You |
Monitoring and alerting | Atlassian | Atlassian | Atlassian |
Network security | Atlassian | Atlassian | Atlassian |
Runtime/Server security | Atlassian | Atlassian | Atlassian |
Vulnerability management and disclosure | Atlassian & You | Atlassian & You | Atlassian & You |
Bug bounty | Atlassian & You | Atlassian & You | Atlassian & You |
Security incident response | Atlassian & You | Atlassian & You | Atlassian & You |
Disaster recovery | Atlassian & You | Atlassian & You | Atlassian & You |
Security features | |||
User identity and access management | Atlassian | Atlassian | Atlassian |
DoS protection | Atlassian | Atlassian | Atlassian |
Abuse prevention | Atlassian & You | Atlassian & You | Atlassian & You |
Ensure that every request made to the application is sufficiently authenticated.
Your responsibilities:
Atlassian's responsibilities:
Ensure that every request made to the application is sufficiently authorized.
Your responsibilities
asUser()
whenever you are performing an operation on behalf
of a user. This ensures your app has at most the permissions of
the calling user.asApp()
, you must verify expected permissions
(for example, from product context) with the permissions REST APIs
before making the request.Atlassian's responsibilities
asUser()
calls before invoking your Forge application.Ensure sufficient input validation and output encoding is applied within the application.
Your responsibilities
Atlassian's responsibilities:
Your responsibilities
Ensure the framework used to build apps is free of security bugs, and fixes are delivered in line with Atlassian's security bug fix policy SLOs.
Your responsibilities:
Atlassian's responsibilities
Ensure that data is appropriately stored and read by your app.
Your responsibilities
Atlassian's responsibilities
Apply secure software development practices when building and maintaining your app.
Your responsibilities
Atlassian's responsibilities
Your responsibilities
Atlassian's responsibilities
Atlassian's responsibilities
Atlassian's responsibilities
Atlassian's responsibilities
Your responsibilities
Atlassian's responsibilities
Your responsibilities
Atlassian's responsibilities
Your responsibilities
Atlassian's responsibilities
Your responsibilities
Atlassian's responsibilities
Atlassian's responsibilities
Atlassian's responsibilities
Your responsibilities
Atlassian's responsibilities
Rate this page: