OWASP Headers

The Open Web Application Security Project (OWASP) recommends a set of https headers for web applications that increase security and reduce browser vulnerability to attack. For more information, including specific guidance and tools, see OWASP.

OWASP Secure Headers for App Home URL and HTML

The Zoom Apps platform enforces a subset of the OWASP recommendations. The https MIME type text/html response from your server for the app's home URL must be decorated with security headers recommended by the OWASP Secure Headers Project. The Zoom client validates all document (MIME type text/html) responses with a 200 status code for the presence of OWASP Secure Headers. Ensure that your app backend decorates its html responses with the following headers:

  • Strict-Transport-Security
  • X-Content-Type-Options
  • Content-Security-Policy
  • Referrer-Policy

Attention

Any home URL response missing these headers will cause your app to be blocked from rendering in the Zoom Apps embedded browser.

Any html request without these headers will not be parsed or rendered, and displays a console error listing any missing headers:

Missing OWASP Secure Headers:"Strict-Transport-Security""X-Content-Type-Options""Content-Security-Policy""Referrer-Policy"for URL

Content Security Policy Header (CSP)

Zoom Apps require the Content-Security-Policy (CSP) header. This header defines the domain locations allowed by the browser to request various resource types (such as scripts, styles, media files, etc). For more information about CSP, see OWASP.

An example of an error caused by a mismatched definition in your site's CSP:

Error: Refused to load `file` because it appears in neither the script-src directive nor the default-src directive of the Content Security Policy.

This error indicates that the browser was prevented from downloading a specific resource because it is not included in CSP.

Attention

Resources may be blocked because the domain has not been added to the app's allow list. This scenario is different from a CSP-caused error, though the errors may look similar.

Example error message:

Content blocker prevented frame displaying https://example.com from loading a resource from https://domain/file.css (url, line XYZ).