Welcome to the comprehensive security requirements guide for developing secure applications on the Vim Canvas platform. All applications must meet these security standards before deployment to production environments.
Security Requirements Checklist
To ensure your application meets Vim Canvas security standards, you must satisfy the following requirements:
|
# |
Requirement |
Description |
|
1 |
Security Vulnerability Scans |
All domains must pass security vulnerability scans. Any critical or high-severity vulnerabilities must be addressed before approval. |
|
2 |
Valid HTTPS Certificates |
HTTPS certificates must be valid for all domains used by your application. |
|
3 |
HSTS Implementation |
HSTS (HTTP Strict Transport Security) must be implemented with a minimum max-age of 1 year to ensure all connections use HTTPS. |
|
4 |
TLS Encryption Standards |
Must use current industry-standard encryption (TLS 1.2+ recommended). |
|
# |
Requirement |
Description |
|
5 |
JWT Security Best Practices |
Implement industry-standard JWT security practices: Use strong signature algorithms (RS256 recommended), implement proper token validation and verification, set appropriate token expiration times (typically 15-60 minutes for access tokens), store JWT signing keys securely, validate issuer (iss), audience (aud), and expiration (exp) claims, use secure random secrets for HMAC algorithms, implement token refresh mechanisms, do not store sensitive data in JWT payload, and ensure tokens are transmitted over HTTPS only. Regularly rotate signing keys and implement proper error handling for token validation failures. |
|
6 |
VimOS.js Integration and ID Token Exchange |
Implement secure authentication using VimOS.js SDK authentication methods. The specific implementation may vary depending on your chosen approach (standard OAuth 2.0 flow, Auth0 social login, etc.). ID Token Exchange Process: The ID token provided by Vim's OAuth 2.0 flow should be exchanged for your application's own access token on your backend. When creating your application tokens, you may reference and utilize user and organizational context fields from Vim's ID token (such as user ID, organization ID, user type, organization name, etc.) as needed for your application's authorization logic. Request only necessary OAuth scopes for your application's functionality and avoid requesting excessive permissions. |
|
# |
Requirement |
Description |
|
7 |
Data Encryption |
All sensitive data must be encrypted both in transit and at rest using industry-standard encryption methods. |
|
8 |
PII and PHI Protection |
Personal Health Information (PHI) and Personally Identifiable Information (PII) must be handled in compliance with HIPAA and other applicable regulations. |
|
9 |
Data Retention Policies |
Implement clear data retention and deletion policies. Data should not be stored longer than necessary for business purposes. |
|
10 |
Business Associate Agreement (BAA) |
Maintain a valid Business Associate Agreement if handling PHI. Ensure compliance with HIPAA requirements. |
|
# |
Requirement |
Description |
|
11 |
Secure API Key Management |
API keys, tokens, and secrets must be stored securely using proper secrets management solutions (not hardcoded). |
|
12 |
Environment Separation |
Maintain separate environments for development, staging, and production with appropriate access controls. |
|
13 |
Access Control Implementation |
Implement role-based access control (RBAC) and principle of least privilege for all user access. |
|
14 |
Secure Database Configuration |
Databases must be properly configured with encryption, access controls, and regular security updates. |
|
15 |
Cloud Security Configuration |
Cloud infrastructure must follow security best practices including proper IAM policies, network segmentation, and monitoring. |
|
# |
Requirement |
Description |
|
16 |
Input Validation |
All user inputs must be validated and sanitized to prevent injection attacks (SQL injection, XSS, etc.). |
|
17 |
Output Encoding |
Implement proper output encoding to prevent XSS attacks and ensure data integrity. |
|
# |
Requirement |
Description |
|
18 |
Security Event Logging |
Implement comprehensive logging for security events, authentication attempts, and access patterns. |
|
19 |
Log Protection |
Ensure logs do not contain sensitive information (passwords, PHI, PII) and are stored securely. |
|
20 |
Monitoring and Alerting |
Implement real-time monitoring and alerting for security incidents and unusual activity patterns. |
|
# |
Requirement |
Description |
|
21 |
Secure Cookie Configuration |
Cookies must be configured with appropriate security flags (Secure, HttpOnly, SameSite) and have reasonable expiration times. |
|
22 |
Session Security |
Implement secure session management with proper session timeout, renewal, and invalidation mechanisms. |
Pre-Deployment Checklist
Before submitting your application for review, ensure you have completed the following:
Security Requirements
Documentation Requirements
Additional Resources
Security Questionnaire and Application Submission
These security best practices directly correlate with the Security Questionnaire required during the application submission process. The questionnaire serves as a transparency tool where developers must document their security and compliance measures, which will be displayed to end users in the Applications section to build trust and provide visibility into data protection practices.
Complete the Security Questionnaire: Submitting Application - Security Questionnaire
The security questionnaire ensures that:
Healthcare Compliance
OAuth 2.0 and Authentication
Application Security
Support
If you have questions about these security requirements or need assistance with implementation, please contact the Vim Developer Support team.
Developer Support: http://security@getvim.com