Before integrating your app into the App Center, ensure it's adequately protected and meets the security requirements outlined in this section. This includes adhering to the technical configuration and ensuring that the implementation aligns with our guidelines.
Your app must use the HTTPS scheme with a valid TLS certificate. We also recommend complying with the ciphers enabled in the COMPATIBLE profile from the GCP SSL policies.
Your app must be protected against common web security vulnerabilities and developed with security standards in mind.
Configure the Content Security Policy (CSP) header to ensure the iframe security.
Use the frame-ancestors directive:
Content-Security-Policy: frame-ancestors https://*.semrush.com;.
Note that you have to use the CSP header but not the meta tag because frame-ancestors aren't supported in a meta tag according to the CSP specification.
To include additional directives in the CSP, check CSP Evaluator and fix all High and Medium severity results before releasing your app to Production.
For authentication and authorization, your app must use JSON Web Tokens (JWT) provided by Semrush. The app can't use cookies or local storage for authentication. AJAX requests must work correctly even without cookies.
Use the SM.client('getAccessToken') method to get an encoded JWT string. Pass the method result as an HTTP header for every AJAX request to your server. For details, refer to the app integration guide.
If your app requires a different authentication type (for example, if a major part of the app's business logic is OAuth via Facebook or Google), approve this with Semrush representatives. Obtain this approval before starting the app integration process.
The iframe URL must only be accessible when a user provides a valid JWT.
Your app must check the expiration field in the JWT. It can't work with expired tokens.
Users who log out of Semrush must be unable to access or use your app. The app must require users to log in or authenticate their identity before granting access to any features or content.
AJAX requests from logged-out users must return an error.
To confirm this behavior, in a new tab, click Log out in the Semrush header. Alternatively, delete the PHPSESSID and SSO-JWT cookies. In the previous tab, the app should log the user out immediately or within the next five minutes when the JWT expires.
Learn how to comply with this requirement ›
All vulnerabilities in your assets reported by the Semrush Security Team must be fixed according to the SLA we provide based on their severity. We use the Common Vulnerability Scoring System (CVSS) to estimate severity. If a discovered vulnerability affects Semrush, the Security Team reserves the right to suspend your integration until you fix it.
| Severity | Time to fix |
|---|---|
| Critical | Two business days |
| High | Two weeks |
| Medium | One month |
| Low | Three months |
All your developer accounts at semrush.com must use 2FA. For details on how to enable it, refer to this article.
Your app mustn't be opened outside of Semrush within the iframe URL.
If the app is opened via an iframe URL link, it must stop working after five minutes when the JWT expires, displaying an error message—for example, 401 Authorization required.
Your app mustn't contain any forms that solicit users' Personal Identifiable Information (PII), including but not limited to email addresses, phone numbers, and credit card details.
The app users mustn't be forced to integrate their third-party accounts, such as Google Analytics or Facebook.
To collect specific data based on legitimate interests, submit a formal request to Semrush's Legal Team.
The JWT of every authenticated request must be validated on the server. This ensures that only authorized users are allowed to work in your app, thus maintaining the integrity and security of operations.
To ensure the integrity and security of the hosting environment, you must maintain and securely configure the domains on which your app is hosted.
You must configure the Referrer-Policy HTTP header
to avoid using the no-referrer-when-downgrade or unsafe-url directives.
It's recommended that you use the no-referrer or strict-origin-when-cross-origin directives
to ensure secure data handling and protect against data leakage.
You must disable caching for HTTPS pages with sensitive data in your app by using the no-cache
and no-store directives instead of private in the Cache-Control header.
Development and internal systems related to your app must have passwords and passphrases meeting the following requirements:
At least 14 characters long.
Include at least one uppercase letter and one number.
Contain no repeating, ascending, or descending character sequences.
If you are in a bug bounty program, provide us with the details. If you aren't, we recommend setting up a page with an address researchers can use to report security-related issues. Use securitytxt.org as a reference.
We recommend submitting your app for a pentest once a year. If you have a pentest report, send it and any future reports to security@semrush.com. Feel free to ask for a PGP key.
If your app requires users to install a script on their instance, such as a website, it must meet the requirements listed in this section.
Including a script in your app may prolong the review; therefore, we recommend submitting the app in advance to ensure a smooth and efficient review process.
The script's algorithm, functions, and data it can access and retrieve must be clearly defined and documented.
All features of the script must be documented.
You aren't allowed to obfuscate the script's code.
The script mustn't download additional scripts or execute unwanted operations, such as client-side Denial of Service (DoS) attacks or intensive Proof-of-Work (PoW) calculations.
The script must only collect information about or from the user as declared in the App Center agreement.
The script's connections must be restricted to the authorized sources, which should be listed and attached to the script.
You must ensure the script's integrity to prevent unauthorized modifications.