Best Practices

These are some of the practices we recommend for secure and efficient use of our API.


  • Ensure you verify the details of the payment by comparing the amount, currency, transaction reference etc before you give value

  • Always implement webhooks when applicable

Error Handling

Ensure errors are “caught” and general error messages are shown to users in the worst case. Refer to the Error handling section

Validating Webhooks

We recommend the use of Secret Hash on your dashboard via Settings > Webhooks in order to verify that the webhook was sent by us.

Security Recommendations

  1. API Management

    Verify that your app meets these requirements for managing your API Keys

    • API Keys should not be hardcoded in the codebase.

    • API calls requiring your DusuPay Secret Key should never be initiated from a Client (browser/mobile app). It should be done from the backend/server part of the application

    • API Keys should be stored in environmental variables or secrets manager.

  2. Authentication

    • Ensure a strong password policy is enforced e.g. minimum of 8 alphanumeric characters, an upper case, a special character

    • Input validation is in place during login

    • Implement controls against brute-force - account lockouts, second-factor authentication and so on.

    • Store database credentials securely using secrets manager preferably.

  3. Session Termination

    • A clearly accessible button must exist which allows users to log out of the application, which in turn ends the session on the server

    • Application sessions must be invalidated at the server-side

    • Log out function must effectively destroy all session tokens and render them unusable again

  4. Input and Output Forms

    • All input (user and service) must be validated only on the server-side in addition to any client-side validation to permit only the characters required and field length necessary

    • With proper input validation and output encoding, applications should not be susceptible to cross-site scripting, either stored or reflected. This includes all headers, cookies, query strings, form fields and hidden fields

    • Create a whitelist of acceptable characters to be used by the application

    • Use sanitised parameters.

  5. Vulnerability and Security Assessment

    Ensure your application is secured against this non-exhaustive list

    • Cross-Site Request Forgery

    • Cross-Site Scripting reflected and stored cross-site scripting

Last updated