Comment on page
These are some of the practices we recommend for secure and efficient use of our API.
- 1.API ManagementVerify that your app meets these requirements for managing your API Keys
- API Keys should not be hardcoded in the codebase.
- API calls requiring your DusuPay Secret Key should never be initiated from a Client (browser/mobile app). It should be done from the backend/server part of the application
- API Keys should be stored in environmental variables or secrets manager.
- Ensure a strong password policy is enforced e.g. minimum of 8 alphanumeric characters, an upper case, a special character
- Input validation is in place during login
- Implement controls against brute-force - account lockouts, second-factor authentication and so on.
- Store database credentials securely using secrets manager preferably.
- 3.Session Termination
- A clearly accessible button must exist which allows users to log out of the application, which in turn ends the session on the server
- Application sessions must be invalidated at the server-side
- Log out function must effectively destroy all session tokens and render them unusable again
- 4.Input and Output Forms
- All input (user and service) must be validated only on the server-side in addition to any client-side validation to permit only the characters required and field length necessary
- With proper input validation and output encoding, applications should not be susceptible to cross-site scripting, either stored or reflected. This includes all headers, cookies, query strings, form fields and hidden fields
- Create a whitelist of acceptable characters to be used by the application
- Use sanitised parameters.
- 5.Vulnerability and Security AssessmentEnsure your application is secured against this non-exhaustive list
- Cross-Site Request Forgery
- Cross-Site Scripting reflected and stored cross-site scripting