What are Host Webs and App Web

SharePoint 2013 introduces the concept of ‘host webs’ and ‘app webs’.

Apps are deployed to the App Web.

Apps are installed to the Host Web.


What are App Webs

In SharePoint 2010 when creating a webpart you could create and use and SharePoint components such as lists, libraries or workflows just about anywhere in the scope of where the webpart was being activated.

SharePoint 2013 adds an additional level of isolation (for security) whereby if an App is to need a SharePoint component such as list then it must contain this list within the apps own subweb – that app’s own App Web.  App Webs are usually inside the same site collection as the Host Web, except in tenant environments where they are in the App Catalog.  Apps that require their own web are reffered to as SharePoint hosted apps.

Apps that dont need access to any SharePoint objects such as lists, can exists without an App Web. e.g. those webparts which consume data from webservices etc. These are referred to as Provider Hosted Apps.

See example below where App 1 doesnt use any SharePoint component and therefore has no App Web, whereas App 2 uses lists and workflow and requires its own App Web:


Also, although the app web is typically in the same site collection as the host web it will have its own isolated domain.

For example, suppose that an app, with SharePoint components beyond
just the UI elements that can be deployed to a host web, is installed on
a host website at the following URL:


The app for SharePoint will be deployed to a newly created website with a URL like the following:


Note that this URL has the following structure:


  • Domain_Relative_URL_of_Host_Web is the relative URL of the parent host web, in this case sites/Marketing.
  • App_Name is the value of the Name attribute of the app element in the appmanifest.xml file.


Why to apps have their own web

Microsoft states two reason for requiring App Webs for Apps. Both are for security Enforcement of App permissions (see blog post) and Protecting against Cross-domain scripting attacks.

For more detailed information see the MSDN whitepaper