Security guidelines

At Canva, the security of our platform is paramount, and we expect app developers to maintain similar standards. This page outlines some of the key recommendations to keep your app (and its users) secure.

Security is a huge topic, and it's beyond the scope of this documentation to explain every measure you could take to keep an app secure, but a good starting point is to ensure your app is not vulnerable to the OWASP Top 10⁠(opens in a new tab or window).

Canva applies a Content Security Policy (CSP) to the app's iframe. This policy prevents apps from loading certain resources within the iframe, such as third-party scripts. Apps can't circumvent the policy, but the app may break in surprising ways if it violates the policy, so it's important to be mindful of the restrictions.

To learn more, see Content Security Policy.

Cross-Origin Resource Sharing (CORS) is a security feature of web browsers that blocks client-side HTTP requests between different origins. We recommend setting the most restrictive policy possible.

To learn more, see Cross-Origin Resource Sharing.

When an app sends an HTTP request to a backend, the backend should verify that the request is from a known, trusted source. This prevents bad actors from sending arbitrary (and potentially malicious) requests to the backend.

To learn more, see HTTP request verification.

Apps often need to store secrets and tokens, such as API keys or access tokens. There are inherent risks to this, so it's important to consider those risks and mitigate against them.

Here's what we recommend:

• When extracting information about the current user from a JSON Web Token (JWT), always verify the token. This ensures the token has not been tampered with. To learn more, see JSON Web Tokens.
• When integrating with third-party services, use tokens that have the least amount of access to that service as possible. This reduces the potential impact of a breach.
• Use storage mechanisms, such as JavaScript closures instead of WebStorage APIs, to store sensitive values such as API keys. WebStorage APIs can be accessed by anyone with access to the machine, simply by opening the browser's developer tools.
• Keep secrets and tokens masked from users after they are stored in a database; avoid logging them to the console or displaying them after creation.
• Use rate-limiting to prevent the misuse of tokens.
• Transmit tokens securely using POST requests rather than including them in the URL query string, to avoid exposure through third-party logging.
• Always associate access tokens with the combination of the ID of the user and the ID of their team. This ensures that, if a user is removed from the team, their access through the app is also revoked.
• If an access token is no longer needed, delete the token immediately. For example, delete access tokens as soon as a user deletes their account, data, or connection between Canva and a third-party platform.
• Maintain strict token and capability isolation, ensuring that all token-bound functionality is available only to the user it was issued to.
• Use Transport Layer Security (TLS) protocols and ciphers to encrypt traffic between your app, its backend, and other services. This ensures any access tokens or secrets are never transmitted unencrypted.

Your app should never ask or require users to download external files — especially executable ones. External files are a significant security risk and, at the very least, requiring users to download them erodes trust.