Secure Coding Guidelines
Although using APIs are useful and convenient, be aware of the below risks when coding:
- security issues may arise as a result of the code
- the kintone.com service may not function appropriately as a result of the code
In this article, we will explain important points when programming with the API.
Prevent Cross-site Scripting (XSS)
What’s Cross-site Scripting (XSS)?
Cross-site Scripting (XSS) is a vulnerability that sends malicious code to the web viewer’s browser, by dynamically creating and displaying pages depending on the user’s input.
Programs with XSS vulnerability can lead to the following threats:
- data lying in Kintone can be stolen
- fake sites may be displayed
- malicious cookies may be stored in the web browser
Sample code with Vulnerability
In this code, a text box is created from the value in
A code unintended by the code creator can run by placing the below code for text1.
Escape every outputted element
Strings that are passed on from external programs, and special characters (
" ) are to be escaped. You will need to have some knowledge on escaping HTML elements, but we recommend you to avoid dynamically creating HTML contents with the use of
innerHTML. You can prevent common XSS though by using
innerText instead of innerHTML.
Limit URL outputs to “http://” or “https://”
Dynamically creating href attributes (for
a tags) or src attributes (for
img tags) from external inputs has the risk of embedding of strings that begin with
Avoid creating elements based on external input values
Here is a sample code that you should not run.
Avoid using stylesheets that use external input values
Stylesheets can use
expression() to write script.
For this reason, vulnerability arises in the following code.
There’s a risk that the contents of the file that you are loading could be changed unexpectedly one day to a program that steals your information. Make sure that you can trust the site that you are loading your script from.
Prevent Cross site Request Forgery (CSRF)
What’s Cross Site Request Forgery (CSRF)?
Cross Site Request Forgery (CSRF) is an attack whereby a script is embedded into a web site, causing the viewer to run unintended operations on a different web site.
If this attack is made on kintone.com, the request will be sent from the user logged into kintone.com, thus causing the request to run.
A user logged into kintone.com may run unintended operations.
The following measures are taken on kintone.com:
- only POST method requests are accepted
- only requests with tokens that are issued per session are accepted
For these reasons, a request to kintone.com cannot be made without using API.
Cautions when using REST API
For the reasons above preventing CSRF, requests that don’t use the Kintone REST API introduced on this site cannot be run from an external site.
API requests will need to be authenticated. To understand how to include authentication in your requests, read through the contents of this site, refer to the samples or try out the Kintone SDK.
Restriction on Communication
Services on kintone.com encrypts communication between the user’s web browser. For this reason, HTTPS is needed when using API.
Cautions when using REST API
HTTPS will need to be used when using the Kintone REST API. Cookies issued by kintone.com have a Secure attribute, and HTTPS will need to be used.
If you are using the
client certificate authentication feature for Kintone, authentication through client certificates will be needed. Refer to the Kintone SDK on how to use the client certificate authentication.
Store Data Appropriately
Personal and confidential information can be retrieved from data lying on kintone.com. If you are to place save these information on an external application, design and operate the system with great caution so as not to leak private information.
Especially, please do not hard code important data such as passwords into your program.
Cross Domain Restrictions
Due to cross domain restrictions, communication between kintone.com and external sites using XHR(XMLHttpReuest) cannot be run. The Access-Control-Allow-Origin header cannot be added.
Redirecting to External Sites
If the URL passed on to the following objects are dynamically created from external input values, run a check on the created URL to see if it is in your intended format:
Using the “strict mode”
Main features of the strict mode:
values can only be placed into declared variables
the scope of the variables declared inside the
eval()function is limited within that function.
arguments.caleeis not supported
'use strict'; mistypedVaraible = 17; // throws a ReferenceError
Consider the Effect to the Kintone Service
Avoid sending large amounts of requests within a short time period
Programs that automatically send large amounts of requests, and those that run multiple requests in parallel, can both lead to performance degradation and slow responses. Be aware that we may limit your Kintone environment’s access if you are sending requests that place high load onto our servers and use up a high amount of our resources.
Check Operations on Several Web Browsers
Check that the customizations that you have made are working correctly on different web browsers.
Set an appropriate user agent
Please set an appropriate value in the User-Agent header, so that we can identify what services or tools the requests are coming from.
Refer to the guidelines on user-agents through the below link:
- RFC 7231 5.5.3. User-Agent https://www.ietf.org/rfc/rfc7231.txt