kintone Best Practices
This skill provides official guidelines for developing on the kintone platform.
When to Use
- •Writing JavaScript Customizations: To ensure code is safe, compatible, and maintainable.
- •Using kintone REST API: To follow performance rules and best practices.
- •Security Reviews: To check for common vulnerabilities like XSS or credential leaks.
- •Code Reviews: To verify compliance with kintone's coding standards.
Usage Instructions
1. JavaScript Coding
For rules regarding variables, DOM manipulation, and URL handling:
Key Points:
- •Use IIFE or block scope to avoid global variable pollution.
- •Do NOT rely on kintone's internal DOM structure (id/class attributes).
- •Use
kintone.api.url()for URL generation.
2. Secure Coding
For security requirements and preventing vulnerabilities:
- •Read: references/secure-coding.md
Key Points:
- •Prevent XSS by avoiding
innerHTMLwith untrusted data. - •Never store secrets (API keys) in frontend code; use Plugin Proxy.
- •Validate URLs to prevent open redirects.
3. General & API Best Practices
For REST API usage and general development tips:
Key Points:
- •Avoid massive parallel requests.
- •Use Bulk APIs for data operations.
- •Be aware of kintone update impacts.
Quick Checklist for Developers
- •Scope: Is all code wrapped in an IIFE (
(() => { ... })();)? - •Globals: Are you modifying
windoworcybozuobjects? (Don't!) - •Selectors: Are you selecting elements by auto-generated IDs? (Don't! Use API or custom elements).
- •XSS: Are you using
innerHTML? (UseinnerTextortextContent). - •Secrets: Are credentials hardcoded? (Use Proxy or Backend).