Review Process for Views

Before you can incorporate a MyDataHelps View into your project, CareEvolution will perform a security review to ensure it meets the security requirements described below.

Tip
A security review is not required for views created using the MyDataHelps View Builder. These are hosted on CareEvolution’s servers, which meet these same security requirements.

Contents

Requesting a Review
General Requirements
Content Security Policy Requirements

Requesting a Review

Once your view(s) are hosted and you are sure they meet the security requirements described in this article, contact us to request the review. In your message, include:

A description of the view.
The project(s) you wish to use the view in.
The url(s) of the view.

You will be notified when the security review is complete, and the view has been approved and registered for use by your project.

General Requirements

We require that all views:

Are served over SSL (https).
Employ HTTP Strict Transport Security.
Include an appropriate Content-Security-Policy header.
Employ secure development practices such as avoiding vulnerable library versions and protecting against cross-site scripting vulnerabilities via appropriate DOM manipulation and HTML encoding practices. See the DOM based XSS Prevention Cheat Sheet for tips.

Tip
We recommend that you achieve an “A” rank for your application using both securityheaders.com and ssllabs.com

Content Security Policy Requirements

We recommend using a Strict Content Security Policy for your web app.

Since MyDataHelps views exist within a web frame, be sure to add MyDataHelps to your allowable frame ancestors.

Content-Security-Policy: frame-ancestors mydatahelps.org;