Review Process for Views

Before you can incorporate a MyDataHelps View into your project, CareEvolution will perform a security review to ensure it meets the security requirements described below.

Requesting a Review

Once your view(s) are hosted and you are sure they meet the security requirements described in this article, contact us to request the review. In your message, include:

  • A description of the view.
  • The project(s) you wish to use the view in.
  • The url(s) of the view.

You will be notified when the security review is complete, and the view has been approved and registered for use by your project.

General Requirements

We require that all views:

  • Are served over SSL (https).
  • Employ HTTP Strict Transport Security.
  • Include an appropriate Content-Security-Policy header.
  • Employ secure development practices such as avoiding vulnerable library versions and protecting against cross-site scripting vulnerabilities via appropriate DOM manipulation and HTML encoding practices. See the DOM based XSS Prevention Cheat Sheet for tips.

Content Security Policy Requirements

We recommend using a Strict Content Security Policy for your web app.

Since MyDataHelps views exist within a web frame, be sure to add MyDataHelps to your allowable frame ancestors.

Content-Security-Policy: frame-ancestors;