Security updates to the platform - 19 May 2021

Dear Freshworks App Developers,

We hope this update finds you in health and safety.

From our last announcement related to a security update on the platform, you would have learned that we are lining up a few enhancements to improve the security posture of our platform.

We also want to assure you that this is the last planned deployment that comes without a heads-up to help you prepare for the change. As always, our analysis gives us confidence that this change will have a little overall impact while significantly enhancing the security posture of the platform you use. We however do expect that if your apps are leveraging a middleware running outside the platform, they are likely to be affected.

Starting immediately, the platform will restrict the use of installation parameters marked “secure” within the “body” property of a request made using the Request Method feature of the platform. These parameters can also not be referenced as part of the request URL. Your apps can continue referring to secure installation parameters as part of the “headers” property.

Similarly, a reference to an OAuth2 access token managed by the platform will be restricted only to the “headers” property of a request, and will not be enabled for reference in the request URL or the request body.

Recommended steps to be taken for affected apps

You will likely need to publish an update to your app if it is affected by this change. You may consider the following options, depending on your situation,

  • Secure parameters and tokens rarely need to be posted through a request body or request URL. Reconsider your approach and see if the parameter really needed to be hidden away from the front-end and marked secure in the first place.
  • If the parameter must be marked secure and the endpoint you use expects it to be received as part of the request body, consider using Server Method Invocation instead.
  • If you own the endpoint the request hits as part of app middleware, consider moving the secure parameter to one of the request headers. In the interim, please write to marketplace@freshworks.com and we can help you temporarily workaround this change while you prepare the fix.
  • If none of this works, we are happy to help you with a solution that works for you. Reach out to us.
8 Likes

The announcement was not comprehensive enough. Updated the same with the following changes -

  1. The fact that the reference to access tokens is also impacted.
  2. The call-out that apps using a middleware are likely to be most impacted and how they can workaround this. Just write to us at marketplace@freshworks.com for a temporary workaround.

Apologies for missing these details. Thanks to the community for bringing these to our attention.

5 Likes

I emailed to this email id 2 days back, but no revert?

customers are complaining. kindly help

1 Like

@Prashant_Tandon As per our discussion in the Private thread, the app has been added to our allowList for the time being to keep it work for the customers.

Please get the app addressed with this security change as this allowList is temporary. Thank you!

1 Like