SuiteScript Security Considerations
Certain measures must be taken to ensure your SuiteScript script executes in a safe, secure manner. This includes the use of user credentials and executing scripts using a specific role, particularly when working with sensitive data. In general, you should follow these guidelines:
Security Consideration |
Security Consideration Guidance |
---|---|
User passwords |
|
Deploy scripts to run as administrator only if necessary to minimize security risk and to eliminate performance overhead. See Executing Scripts Using a Specific Role. |
|
Script parameters |
For security reasons, do not include confidential information in script parameters. Information saved in script parameters can be indexed by search engines and therefore be viewable by the public. This means, for example, that the information could be found in Google searches. For more information, see Creating Script Parameters Overview. |
The URLS for accessing RESTlets are protected by TLS encryption. Only requests sent using TLS encryption are granted access. For more information, see Supported TLS Protocol and Cipher Suites. |
|
|
|
To prevent users from accessing sensitive information, such as password and credit card data, the following internal field IDs cannot be read in
External role users include shoppers, online form users and other anonymous users, customer center users, etc. |
|
Take extreme care when using the N/auth module to change an email or user password. Both the auth.changeEmail(options) and auth.changePassword(options) methods allow you to include a plaintext string for the password. |
|
For security purposes, NetSuite blocks some headers from use in HTTP and HTTPS calls. For a list of blocked headers, see HTTP Header Information |
|
Plaintext user credentials can be included in HTTPS request parameters or in the body. Using plain text or other unencrypted user credentials is unsafe and can pose a security threat. Whenever possible, use Token-based Authentication (TBA) or OAuth2.0 to specify user credentials. |
|
When working with credit cards, you can retrieve only the encrypted version of the credit card number, at most. You may not be able to retrieve and credit card number data. |