This page provides guidance to help you build components that are secure and perform well.
All component plug-ins run in an iframe to isolate them from the surrounding interface. Your component should be designed with the following restrictions in mind:
- Your component's content is loaded from the dynamic content domain rather than the parent site domain to take advantage of cross-origin resource sharing (CORS) protection
- The iframe is sandboxed with the following capabilities enabled:
- The following feature policies are enabled (for content in your component only):
These recommendations represent areas that are specific to building component plug-ins. For a more detailed web application security guide, consult the OWASP Top Ten and other OWASP recommendations.
- Don't store credentials or other sensitive values in your component code. These values would be easily accessible to anyone using the system.
- Don't provide input parameters for credentials or other sensitive values. This would force the designer to put plaintext values in constants or directly in the interface.
- Store sensitive values like system credentials in a connected system plug-in and access them using client APIs on the server
- Never directly expose connected system credentials using a client API. Always return a calculated value based on the credentials.
Remember that your component will run in an interface with other components, data queries, integrations, etc. It may be used by many users simultaneously, from different locations across the globe. When designing your component, take these performance recommendations into account so that you provide a pleasant user experience:
Avoid Frequent Updates
- Minimize calls to Appian.Component.saveValue since these calls can trigger potentially time-consuming re-evaluations of the interface
- In general, save values only in response to user input, not as a result of automated processing, and consolidate any sequences of rapid input into a single save (e.g.: save after a field loses focus rather than on each keystroke)
- If saving values as a result of an external event, limit updates to 2 per minute
Minimize Data Size
- There's no explicit limit on the amount of data you can pass to or from the interface, but keep in mind that if that data is stored in a local variable it could cause the interface to exceed the memory threshold and terminate
- Avoid sending or receiving large requests with external systems that could slow down over low bandwidth connections (e.g.: mobile devices) or over long distances