Security requirements

In this article

    It is paramount that you keep data secure. Security is our topmost concern. 

    If needed, we may go back in time to see when and by who an operation was performed.


    Credentials and authentication

    • The application must use federated authentication. Applications must ensure the quality of service is not jeopardized for any of our customers.
    • Web panels added by the application must authorize the user before any data is shown (seamless single sign-on)
    • Use SuperID and a system user; don't send username and password.
    • Ensure all cookies have the HttpOnly flag set, setting secure is recommended.
    • Partner applications are not allowed to store any user credential authentication information.
      • Setting ConfigFile.Services.ApplicationToken in code is forbidden.
    • You must change all default passwords before deploying the application to the production environment.
    • Use multi-factor authentication and encrypted channels for all administrative account access.
    • If your client secret (application token) should be compromised, you must notify SuperOffice Online Operations as soon as possible (submit form).

    Data access

    • Use the SuperOffice APIs to read from and write to the database to ensure data consistency.
    • Ensure role, group, and user permissions are adhered to.
      • Ensure that sentry rules are followed.
      • Give the user feedback when sentry denies access.
      • Using the web services in the application user's context will ensure this happens automatically, however, be aware when running in system user context.
    • Use the existing Preference tablesForeignKey, ForeignDevice, ForeignApp tables to store extra information. If you need more tables, they must be hosted in your cloud.

    Endpoints and application environment

    • You must specify a secure redirect URL.
      • Run the redirect URL through Qualys SSL Labs, SSL Server tests, and aim for an A.
      • You must support TLS 1.2.
      • We will not accept any sites where SSL 2.0 or 3.0 is supported.
    • Any code must run with SSL in your own cloud.
      • We will not host any partner application on
      • SuperOffice CRM Online requires that all applications support a secure SSL environment.
    • Maintain separate environments for production and non-production systems (development). Developers should not have unmonitored access to production environments.


    • Ensure that local logging has been enabled on all systems and networking devices where you host your application.
    • Logs should be detailed and include info such as event source, date, user, timestamp, source addresses, destination addresses.
    • Logs should be minimum kept for 3 months.
      • Ensure that all systems that store logs have adequate storage space for the logs generated.
    • On a regular basis, review logs to identify anomalies or abnormal events.


    We recommend you also have a staging environment.

    Always keep in mind the OWASP top ten list.