Validation checklist
My custom application is ready, what should I consider before I ask for a validation test?
Development Tools subscription
Access to a customer’s tenant from a custom application requires an active Development Tools subscription license. The license is purchased by the customer.
If the subscription is discontinued, any custom applications will lose access to that tenant.
Security
- All redirection URLs and all URLs embedded in web panels are secure: run Qualys SSL Labs - SSL Server tests and aim for an A
- SSL 2.0 and 3.0 are disabled
- TLS 1.2 is supported
- All data is validated on input and escaped on output
- The application uses federated authentication and validates all tokens received from SuperOffice
Provisioning
The SuperOffice App Manager grants explicit consent to approved custom applications during activation.
Custom apps therefore do not need to implement the workflow for giving consent.Error handling
- The application handles scenarios where access to the customer’s database is lost, such as during our maintenance windows. Check the tenant status page
Limit your searches
- API calls don’t choke the database, see best practices
- Ensure the user types at least 3 characters before you start searching for contacts, persons, email addresses, selections, and similar
- No more than 10 API calls per second
Protect your web panels
- Information doesn't leak via web panels (and thus forwarded to others who are not authorized)
- The context identifier template variable (
uctx) and also the User login associate ID (usid) are part of the URL of all web panels you add usecis never passed as a parameter in the URL
⚠️ Warning
The use of the
usec template variable is forbidden in online environments.
If you need to use the usec variable for debugging or other purposes, it should only be done in a secure, onsite installation where access is restricted to authorized personnel.
If you have already used the usec variable in an online environment, it will only return an empty string from v11.5.System user and important rules
- Never rename the owner company (
contact.namefield for the company withcontact_idfound in the Company database table). If you do, our license check fails and all users are locked out! - Persons may be associates - if they have a row in the associate table then
- don’t update a person’s company (
person.contact_id)
- don’t update a person’s company (
⚠️ Warning
You must protect the customer database from total destruction, which will require Online Operations to update the database manually. Use the system user with great caution.
Maintenance window
- You will handle unavailability scenarios such as when CRM Online is not available