Embedded apps

Websites displayed in iframes (i.e. embedded apps) require special consideration in order to function properly. Keep in mind the following when implementing your embedded app:

• Beware X-Frame-Options and frame-ancestors
  If your servers return the X-Frame-Options header, we will be unable to embed it in Aurora. If you chose to use the frame-ancestors Content Security Policy we recommend setting the value to https://*.aurorasolar.com. Be sure to also consider these headers for flows that may leave your core application such as OAuth-based login flows.
• Cookies require special care
  If you are creating user sessions via cookies you'll need to adjust your policy to SameSite=None; Secure to allow your cookie to be read in the third-party context created by the iframe. When making this change, consider additional avenues for CSRF attacks. In general, Aurora recommends using local storage for managing sessions if possible.
• Careful with caching
  Browsers tend to aggressively cache the content of iframes. We recommend setting an appropriate Cache-control header or implementing a cache busting scheme for any resources your application loads.
• Refresh temporary keys regularly
  Temporary keys are only valid for 13 hours. We recommend that these keys are re-generated each time your iframe is loaded, even if the user has an existing session, to avoid unexpected authentication failures due to inactivity.