Security requirements

Apps must meet these requirements before they will be published.

Apps published on the QuickBooks app store must not only meet these requirements at the time of publication, but continuously after publishing. In addition, apps not published on the app store must meet these requirements if they exceed 500 connections. Intuit checks all apps annually to ensure that they still meet the technical and security standards required.


The average estimated time it should take for your app to complete security review is about 7 days. This can vary if issues are found in your app during the review process.

App server configuration

These steps help you verify that your server's configuration will pass the security review.

  • Caching has been disabled on all SSL pages and all pages that contain sensitive data by using value no-cache and no-store instead of private in the Cache-Control header.
  • All OS, web server, and app server security patches are up to date at this time, and that new patches are applied in a commercially reasonable timeframe after they are made available by the hardware and software vendors.
  • SSL must be configured to support only TLS version 1.1 or higher. TLS version 1.2 using AES 256 or higher with SHA-256 is recommended.
  • HTTPS is enforced on all pages of your app.
  • The app web server must be configured to disable the TRACE and other HTTP methods if not being used.
  • You must not log any user’s credentials or QuickBooks data.

Attack vulnerability

During the security test, Intuit will ensure that your app is secure against the following vulnerabilities. Ensure that you test it accordingly and resolve any issues prior to submitting your app for approval.

  • Cross Site Request Forgery.
  • Cross Site Scripting (including reflected and stored cross site scripting).
  • SQL Injection.
  • XML Injection.
  • Authentication, Sessions Management and Functional level access control (if any).
  • Forwards or Redirects in use have been validated.

QuickBooks data usage

These tests verify that your app meets Intuit's requirements for handling QuickBooks data.

  • Your app does not provide third-parties with access to a customer's QuickBooks data, via external API calls or any other means.
  • Your app cannot export, save, or store QuickBooks data for any purpose other than the functional use of your app.

Cookie management

Verify that your app meets these requirements regarding how it handles and stores cookies.

  • All app session cookies have the following attributes set:
    • Secure
    • HTTPOnly

OAuth token management

Verify that your app meets these requirements for OAuth token management.

  • Intuit OAuth tokens or customer-identifying information must not be exposed within your app or shared with other parties.
  • Token management once a user completes the OAuth authorization workflow:
    • OAuth 1.0a
      • Encrypt and store the consumer key, consumer secret, access token, access token secret, and realmId in persistent memory.
      • Encrypt the Intuit access token with a symmetric algorithm (3DES or AES). AES is preferred.
      • Store your AES key in your app, in a separate configuration file.
    • OAuth 2.0
      • Encrypt and store the refresh token and realmId in persistent memory.
      • Encrypt the refresh token with a symmetric algorithm (3DES or AES). AES is preferred.
      • Store your AES key in your app, in a separate configuration file.

In addition to the above requirements, refer to these best practices for handling OAuth 1.0a tokens or OAuth 2.0 tokens within your app.

Did you find this page helpful?
Your feedback helps us make our docs better. Please let us know if this page helped you, or if it needs improvement.

 Got Questions? Get Answers in our developer forums.