Cloudflare Apps is a platform for sharing high-quality apps that are easy to use by anyone with a website. In order to ensure that apps are easy to install by non-technical customers and are free from security vulnerabilities, our team reviews all apps before they’re listed publicly. Make sure your app meets the entire checklist below before submitting.

Submitting code

In order for our team to be able to conduct a security review of your app, its source code must be submitted in an unminified and unobfuscated form.

Apps are automatically minified when injected in the customer’s site.

External resources

The moderation process ensures that approved apps are secure and consistent for the customer. We strongly encourage apps to declare all JavaScript and CSS as install.json resources.

Your app may request external resources like images, videos, fonts, and JSON responses from API requests.

Apps that require external files are permitted with the following criteria:

• The files are served from a domain that you or your organization control.
• The domain’s DNS is managed by Cloudflare. Free tier accounts are acceptable.
• The files are served over HTTPS.

Misrepresenting intent

Apps will only be accepted if they accurately and fully reflect the functionality of the app’s listing.

Collecting data

Apps may not aggregate unrelated user data from the browser, such as from LocalStorage, IndexedDB, or cookies.

It is acceptable to use the browser’s storage within your app, however it is not acceptable to collect user data for purposes outside the scope of your app’s stated functionality.

XSS

Apps that accept input from customers introduce the opportunity for XSS vulnerabilities. To mitigate this risk, apps must escape customer input. Consult the HTML5 Security Cheatsheet for some common vectors of attack.

Use of eval or it’s variants are generally not allowed for their security hazards.

Usability and accessibility

Apps that hinder users and their customers from using their browser to its fullest extent are not permitted. Some examples include:

• Disabling text selection for the purpose of preventing copying.
• Disabling click events for the purpose of preventing access to saving images or viewing the website source.
• Hiding the cursor outside of video players.
• Performance degrading loops, e.g. while (true) {}.
• Disabling browser developer tools, e.g. debugger loops, disabling console output.

Account Management

Cloudflare apps that use 3rd-party accounts are required to use OAuth for authentication to maintain a consistent, secure flow for customers. Cloudflare WebHooks contain useful information about the customer and their site. This data can be used to prefill registration fields, however the customer must manually consent to the account creation.