Security Best Practices
This guide outlines essential security practices for interacting with the XBD PAY Banking API to ensure the safety of your API key pair, requests, and overall integration. Following these best practices helps protect your application and data from unauthorized access and potential threats.
Key Management
Proper management of your API key pair (keyId and apiSecret) is critical for secure API authentication.
- Store Private Keys Securely:
- Use environment variables or a key management system (e.g., AWS KMS, Azure Key Vault) to store your
apiSecret(private key). - Avoid hardcoding keys in source code or configuration files.
- Use environment variables or a key management system (e.g., AWS KMS, Azure Key Vault) to store your
- Never Expose Private Keys in Client-Side Code:
- Ensure the
apiSecretis only used in server-side environments to prevent exposure in browsers or client applications.
- Ensure the
- Rotate Keys Regularly:
- Periodically generate new API key pairs using the
/api/keysendpoint to minimize the risk of key compromise.
- Periodically generate new API key pairs using the
- Revoke Compromised Keys Immediately:
- If a key is suspected to be compromised, revoke it through the XBD PAY Merchant Dashboard or contact support@xbdgroup.com.
Request Security
Secure your API requests to prevent unauthorized access and ensure data integrity.
- Use HTTPS for All API Requests:
- Always use the secure endpoints:
- HTTPS ensures encrypted communication between your application and the API.
- Implement Request Replay Protection:
- Ensure timestamps are recent (e.g., within a 5-minute window).
- Validate All Request Signatures Server-Side:
- Use the provided
keyIdand signature to verify requests on your server.
- Use the provided
- Log Authentication Attempts:
- Maintain logs of authentication attempts to monitor for suspicious activity and audit API usage.
Error Handling
Proper error handling enhances security and prevents information leakage.
- Don’t Expose Detailed Error Messages to Clients:
- Return generic error messages (e.g., “Invalid Request”) to clients to avoid revealing sensitive details about the API or server.
- Implement Rate Limiting for Authentication Failures:
- Apply rate limits to endpoints like
/api/keysor authentication endpoints to mitigate brute-force attacks.
- Apply rate limits to endpoints like
- Monitor for Unusual Authentication Patterns:
- Set up alerts for repeated failed authentication attempts or unusual request patterns to detect potential attacks early.