Secure Coding Guidelines



Although using APIs are useful and convenient, be aware of the below risks when coding:

  • security issues may arise as a result of the code
  • the service may not function appropriately as a result of the code

In this article, we will explain important points when programming with the API.

Prevent Cross-site Scripting (XSS)

What’s Cross-site Scripting (XSS)?

Cross-site Scripting (XSS) is a vulnerability that sends malicious code to the web viewer’s browser, by dynamically creating and displaying pages depending on the user’s input.

Possible threats

Programs with XSS vulnerability can lead to the following threats:

  • data lying in Kintone can be stolen
  • fake sites may be displayed
  • malicious cookies may be stored in the web browser

Sample code with Vulnerability

var text1 = document.getElementById('text1');
var div1 = document.getElementById('div1');
div1.innerHTML = '<input type="text" value="' + text1.value + '" />';

In this code, a text box is created from the value in text1.
A code unintended by the code creator can run by placing the below code for text1.


Preventing XSS

Escape every outputted element

Strings that are passed on from external programs, and special characters (< , > , " ) are to be escaped. You will need to have some knowledge on escaping HTML elements, but we recommend you to avoid dynamically creating HTML contents with the use of document.write and innerHTML. You can prevent common XSS though by using innerText instead of innerHTML.

Limit URL outputs to “http://” or “https://”

Dynamically creating href attributes (for a tags) or src attributes (for img tags) from external inputs has the risk of embedding of strings that begin with JavaScript:. To prevent this, limit outputs of URLs to those that begin with http:// or https://.

Avoid creating elements based on external input values

Here is a sample code that you should not run.

var tag = document.createElement('script');
tag.innerText = untrusted;
Avoid using stylesheets that use external input values

Stylesheets can use expression() to write script.
For this reason, vulnerability arises in the following code.

var tag = document.createElement('div');
// untrusted = "{ left:expression( alert('xss') )"
Don’t load JavaScript files and CSS files that are on untrusted external sites

There’s a risk that the contents of the file that you are loading could be changed unexpectedly one day to a program that steals your information. Make sure that you can trust the site that you are loading your script from.

Prevent Cross site Request Forgery (CSRF)

What’s Cross Site Request Forgery (CSRF)?

Cross Site Request Forgery (CSRF) is an attack whereby a script is embedded into a web site, causing the viewer to run unintended operations on a different web site.
If this attack is made on, the request will be sent from the user logged into, thus causing the request to run.

Possible threats

A user logged into may run unintended operations.

Preventing CSRF

The following measures are taken on

  • only POST method requests are accepted
  • only requests with tokens that are issued per session are accepted

For these reasons, a request to cannot be made without using API.

Cautions when using JavaScript Customization

For the reasons above preventing CSRF, when using the Kintone JavaScript customization feature, you will need to use the JavaScript API that is introduced on this site for using event listeners and sending requests.

Cautions when using REST API

For the reasons above preventing CSRF, requests that don’t use the Kintone REST API introduced on this site cannot be run from an external site.
API requests will need to be authenticated. To understand how to include authentication in your requests, read through the contents of this site, refer to the samples or try out the Kintone SDK.


Restriction on Communication

Services on encrypts communication between the user’s web browser. For this reason, HTTPS is needed when using API.

Cautions when using JavaScript Customization

When using the Kintone JavaScript Customization feature, HTTPS will need to be used if you are to load JavaScript/CSS contents that lie outside of Kintone.

Cautions when using REST API

HTTPS will need to be used when using the Kintone REST API. Cookies issued by have a Secure attribute, and HTTPS will need to be used.
If you are using the client certificate authentication feature for Kintone, authentication through client certificates will be needed. Refer to the Kintone SDK on how to use the client certificate authentication.

Store Data Appropriately

Personal and confidential information can be retrieved from data lying on If you are to place save these information on an external application, design and operate the system with great caution so as not to leak private information.
Especially, please do not hard code important data such as passwords into your program.

Other Cautions when using JavaScript Customizations

Cross Domain Restrictions

Due to cross domain restrictions, communication between and external sites using XHR(XMLHttpReuest) cannot be run. The Access-Control-Allow-Origin header cannot be added.

Retrieving Cookies via JavaScript

As cookies from have Httponly attributes, these cookies cannot be retrieved using JavaScript.

Redirecting to External Sites

If the URL passed on to the following objects are dynamically created from external input values, run a check on the created URL to see if it is in your intended format:

  • location.href
  • document.location

Using the “strict mode”

Using the JavaScript’s strict mode will prevent miscoding and will make your code more secure. For details on strict mode, refer to the MDN document (External link).

Main features of the strict mode:

  • values can only be placed into declared variables

  • the scope of the variables declared inside the eval() function is limited within that function.

  • arguments.calee is not supported

    'use strict';
    mistypedVaraible = 17; // throws a ReferenceError

Consider the Effect to the Kintone Service

Avoid sending large amounts of requests within a short time period

Programs that automatically send large amounts of requests, and those that run multiple requests in parallel, can both lead to performance degradation and slow responses. Be aware that we may limit your Kintone environment’s access if you are sending requests that place high load onto our servers and use up a high amount of our resources.

Check Operations on Several Web Browsers

Depending on the JavaScript program that is uploaded onto Kintone, some features of Kintone may not function correctly.
Check that the customizations that you have made are working correctly on different web browsers.

Set an appropriate user agent

Please set an appropriate value in the User-Agent header, so that we can identify what services or tools the requests are coming from.
Refer to the guidelines on user-agents through the below link: