Dear Freshworks App Developers,
We hope this update finds you in health and safety.
From our last announcement related to a security update on the platform, you would have learned that we are lining up a few enhancements to improve the security posture of our platform.
We also want to assure you that this is the last planned deployment that comes without a heads-up to help you prepare for the change. As always, our analysis gives us confidence that this change will have a little overall impact while significantly enhancing the security posture of the platform you use. We however do expect that if your apps are leveraging a middleware running outside the platform, they are likely to be affected.
Starting immediately, the platform will restrict the use of installation parameters marked “secure” within the “body” property of a request made using the Request Method feature of the platform. These parameters can also not be referenced as part of the request URL. Your apps can continue referring to secure installation parameters as part of the “headers” property.
Similarly, a reference to an OAuth2 access token managed by the platform will be restricted only to the “headers” property of a request, and will not be enabled for reference in the request URL or the request body.
Recommended steps to be taken for affected apps
You will likely need to publish an update to your app if it is affected by this change. You may consider the following options, depending on your situation,
- Secure parameters and tokens rarely need to be posted through a request body or request URL. Reconsider your approach and see if the parameter really needed to be hidden away from the front-end and marked secure in the first place.
- If the parameter must be marked secure and the endpoint you use expects it to be received as part of the request body, consider using Server Method Invocation instead.
- If you own the endpoint the request hits as part of app middleware, consider moving the secure parameter to one of the request headers. In the interim, please write to firstname.lastname@example.org and we can help you temporarily workaround this change while you prepare the fix.
- If none of this works, we are happy to help you with a solution that works for you. Reach out to us.