Self-signed certificates can be used for development and testing, so long as the certificate is trusted on the local machine. If your add-in accesses external data and services, it should be SSL-secured to protect data in transit. If you plan to run your add-in in Office on the web or publish your add-in to AppSource, it must be SSL-secured. Add-ins that are not SSL-secured (HTTPS) generate unsecure content warnings and errors during use. While not strictly required in all add-in scenarios, using an HTTPS endpoint for your add-in is strongly recommended. The server hosting the image should not return a Cache-Control header specifying no-cache, no-store, or similar options in the HTTP response.Īll URLs, such as the source file locations specified in the SourceLocation element, should be SSL-secured (HTTPS). Hosting requirementsĪll image URIs, such as those used for add-in commands, must support caching. ** SupportUrl is only required for add-ins that are distributed through AppSource. *Added in the Office Add-in Manifest Schema version 1.1. Permissions (ContentApp) Permissions (TaskPaneApp) Permissions (MailApp) SourceLocation (ContentApp) SourceLocation (TaskPaneApp) Required elements by Office Add-in type ElementĭefaultSettings (ContentApp) DefaultSettings (TaskPaneApp)
For more information see How to find the proper order of manifest elements.
There is also a mandatory order in which elements must appear within their parent element.
