OWASP Headers

The Open Web Application Security Project (OWASP) recommends a set of https headers for web applications that increase security and reduce browser vulnerability to attack. For more information, including specific guidance and tools, see OWASP.

OWASP Secure Headers for App Home URL and HTML

The Zoom Apps platform enforces a subset of the OWASP recommendations. The https MIME type text/html response from your server for the app’s home URL must be decorated with security headers recommended by the OWASP Secure Headers Project. The Zoom client validates all document (MIME type text/html) responses with a 200 status code for the presence of OWASP Secure Headers. Ensure that your app backend decorates its html responses with the following headers:

  • Strict-Transport-Security
  • X-Content-Type-Options
  • Content-Security-Policy
  • Referrer-Policy

Any html request without these headers will not be parsed or rendered, and displays a console error listing any missing headers:

| Missing OWASP Secure Headers: “Strict-Transport-Security”, “X-Content-Type-Options”, “Content-Security-Policy”, “Referrer-Policy” for URL |

Content Security Policy Header (CSP)

Zoom Apps require the Content-Security-Policy (CSP) header. This header defines the domain locations allowed by the browser to request various resource types (such as scripts, styles, media files, etc). For more information about CSP, see OWASP.

An example of an error caused by a mismatched definition in your site’s CSP: Error: Refused to load file because it appears in neither the script-src directive nor the default-src directive of the Content Security Policy.

This error indicates that the browser was prevented from downloading a specific resource because it is not included in CSP.

IMPORTANT: Resources may be blocked because the domain has not been added to the app’s allow list. This scenario is different from a CSP-caused error, though the errors may look similar

Example error message: Content blocker prevented frame displaying https://example.com from loading a resource from https://domain/file.css (url, line XYZ).

Need help?

If you're looking for help, try Developer Support or our Developer Forum. Priority support is also available with Premier Developer Support plans.