Security guidelines

How to keep your app (and its users) secure.

At Canva, the security of our platform is paramount and we expect app developers to maintain similar standards. This page outlines some of the key recommendations to keep your app (and its users) secure.

Security is a huge topic and it's beyond the scope of this documentation to explain every measure you could take to keep an app secure, but a good starting point is to ensure your app is not vulnerable to the OWASP Top 10.

Canva applies a Content Security Policy (CSP) to the app's iframe. This policy prevents apps from loading certain resources within the iframe, such as third-party scripts. Apps can't circumvent the policy, but the app may break in surprising ways if it violates the policy, so it's important to be mindful of the restrictions.

To learn more, see Content Security Policy.

Cross-Origin Resource Sharing (CORS) is a security feature of web browsers that blocks client-side HTTP requests between different origins. We recommend setting the most restrictive policy possible.

To learn more, see Cross-Origin Resource Sharing.

When an app sends an HTTP request to a backend, the backend should verify that the request is from a known, trusted source. This prevents bad actors from sending arbitrary (and potentially malicious) requests to the backend.

To learn more, see Verifying HTTP requests.

Apps often need to store secrets and tokens, such as API keys or access tokens. There are inherent risks to this, so it's important to consider those risks and mitigate against them.

Here's what we recommend:

  • When extracting information about the current user from a JSON Web Token (JWT), always verify the token. This ensures the token has not been tampered with. To learn more, see Verifying JWTs.
  • When integrating with third-party services, use tokens that have the least amount of access to that service as possible. This reduces the potential impact of a breach.
  • Don't use the local storage APIs to store sensitive values. This data can be accessed by anyone with access to the machine, simply by opening the browser's developer tools.
  • Don't expose secrets or tokens to the user after storing them in a database. For example, don't log secrets to the console or let the user reveal a previously created secret.
  • Use rate-limiting to prevent the misuse of tokens.
  • Don't consume or transmit tokens via the query string of a URL, as these tokens can be logged by third-party services. Always use POST requests to transmit secrets via HTTP.
  • Always associate access tokens with the combination of the ID of the user and the ID of their team. This ensures that, if a user is removed from the team, their access via the app is also revoked.
  • If an access token is no longer needed, delete the token immediately. For example, delete access tokens as soon as a user deletes their account, data, or connection between Canva and a third-party platform.
  • Ensure there's no way to expose a user's token — or the functionality of that token — to another user.
  • Use Transport Layer Security (TLS) protocols and ciphers to encrypt traffic between your app, its backend, and other services. This ensures any access tokens or secrets are never transmitted unencrypted.
  • Once your app has knowledge of a user token, don't log it or store it in any way outside of your app's database.

Your app should never ask or require users to download external files — especially executable ones. External files are a significant security risk and, at the very least, requiring users to download them erodes trust.