Security requirements

Apps must meet these requirements before they will be published.

Apps published on the QuickBooks app store must not only meet these requirements at the time of publication, but continuously after publishing. In addition, apps not published on the app store must meet these requirements if they exceed 500 connections. Intuit checks all apps annually to ensure that they still meet the technical and security standards required.

Note

Note

The average estimated time it should take for your app to complete security review is about 7 days. This can vary if issues are found in your app during the review process.

App server configuration

These steps help you verify that your server’s configuration will pass the security review.

  • Caching has been disabled on all SSL pages and all pages that contain sensitive data by using value no-cache and no-store instead of private in the Cache-Control header.
  • All OS, web server, and app server security patches are up to date at this time, and that new patches are applied in a commercially reasonable timeframe after they are made available by the hardware and software vendors.
  • SSL must be configured to support only TLS version 1.1 or higher. TLS version 1.2 using AES 256 or higher with SHA-256 is recommended.
  • HTTPS is enforced on all pages of your app.
  • The app web server must be configured to disable the TRACE and other HTTP methods if not being used.
  • You must not log any user’s credentials or QuickBooks data.

Attack vulnerability

During the security test, Intuit will ensure that your app is secure against the following vulnerabilities. Ensure that you test it accordingly and resolve any issues prior to submitting your app for approval.

  • Cross Site Request Forgery.
  • Cross Site Scripting (including reflected and stored cross site scripting).
  • SQL Injection.
  • XML Injection.
  • Authentication, Sessions Management and Functional level access control (if any).
  • Forwards or Redirects in use have been validated.

QuickBooks data usage

These tests verify that your app meets Intuit’s requirements for handling QuickBooks data.

  • Your app does not provide third-parties with access to a customer’s QuickBooks data, via external API calls or any other means.
  • Your app cannot export, save, or store QuickBooks data for any purpose other than the functional use of your app.

Verify that your app meets these requirements regarding how it handles and stores cookies.

  • All app session cookies have the following attributes set:
    • Secure
    • HTTPOnly

OAuth token management

Verify that your app meets these requirements for OAuth token management.

  • Intuit OAuth tokens or customer-identifying information must not be exposed within your app or shared with other parties.
  • Token management once a user completes the OAuth authorization workflow:
    • OAuth 1.0a
      • Encrypt and store the consumer key, consumer secret, access token, access token secret, and realmId in persistent memory.
      • Encrypt the Intuit access token with a symmetric algorithm (3DES or AES). AES is preferred.
      • Store your AES key in your app, in a separate configuration file.
    • OAuth 2.0
      • Encrypt and store the refresh token and realmId in persistent memory.
      • Encrypt the refresh token with a symmetric algorithm (3DES or AES). AES is preferred.
      • Store your AES key in your app, in a separate configuration file.

In addition to the above requirements, refer to these best practices for handling OAuth 1.0a tokens or OAuth 2.0 tokens within your app.

Protect sensitive information

Web application endpoints that receive sensitive customer information and/or authentication tokens in URL parameters must not return HTML content via an HTTP Response Body. This is to prevent sensitive customer information from being accidentally leaked to 3rd parties in the subsequent HTTP Referer request headers. Instead, the web application endpoints should implement a 302 Found redirect. This is particularly important when application end points are handling authentication tokens.